By weakness (CWE)

CWE-416: related vulnerabilities

CVEs classified under CWE-416. Understanding the weakness class helps prioritize systemic fixes over one-off patches.

147 published vulnerabilities · page 2 of 2

  • CVE-2026-9948HIGH 8.3

    Google Chrome on macOS contains a use-after-free vulnerability in its Views component that could allow an attacker to escape the browser's sandbox. The attack requires two conditions: the attacker must first compromise Chrome's renderer process (the sandboxed component that executes web content), and the victim must interact with a specially crafted webpage. If successful, the attacker gains access beyond the sandbox, potentially compromising the entire system. This vulnerability affects Chrome versions prior to 148.0.7778.216 on macOS.

  • CVE-2026-9949HIGH 8.3

    A use-after-free memory vulnerability exists in Google Chrome's Core component on Windows that could allow an attacker to escape the browser's sandbox. The vulnerability requires the attacker to have already compromised Chrome's renderer process and trick a user into visiting a malicious webpage. If successfully exploited, an attacker could gain the same privileges as the Windows user running Chrome, potentially compromising the entire system.

  • CVE-2026-9951HIGH 8.3

    Google Chrome before version 148.0.7778.216 contains a use-after-free vulnerability in its user interface rendering engine. This flaw allows an attacker to craft a malicious HTML page that, when visited by a user, can trigger memory corruption. The vulnerability is particularly dangerous because it may enable attackers to break out of Chrome's sandbox—the security boundary that isolates the browser from the underlying operating system—potentially gaining direct access to system resources and user data. Exploitation requires user interaction (clicking or visiting a malicious site) and involves complex attack conditions, but the potential for sandbox escape elevates the risk significantly.

  • CVE-2026-9970HIGH 8.3

    A use-after-free memory vulnerability exists in Google Chrome's WebGL component that could allow an attacker to escape the browser sandbox. An attacker would first need to compromise Chrome's renderer process—typically through a separate exploit or social engineering—and then could use a specially crafted HTML page to gain unauthorized access outside the browser's security boundaries. This vulnerability affects Chrome versions before 148.0.7778.216 on Windows, macOS, and Linux systems.

  • CVE-2026-9988HIGH 8.3

    A use-after-free memory flaw in Chrome's WebRTC component on Linux could allow an attacker to escape the browser's security sandbox. By crafting a malicious webpage, an attacker who tricks a user into visiting it could potentially break out of Chrome's isolation protections and execute code with system-level privileges. This affects Chrome versions before 148.0.7778.216 on Linux systems.

  • CVE-2026-9993HIGH 8.3

    A use-after-free memory vulnerability exists in Google Chrome's rendering engine that allows an attacker to escape the browser's sandbox if they have already compromised the renderer process. The vulnerability is triggered when a user opens a malicious PDF file. This is a critical threat because it could allow an attacker who has gained code execution within the browser to break out of Chrome's security boundaries and gain access to the underlying operating system.

  • CVE-2026-9994HIGH 8.3

    A use-after-free vulnerability exists in Google Chrome's core rendering engine on Windows systems. An attacker who has already compromised the browser's renderer process can exploit this flaw through a specially crafted HTML page to escape the browser sandbox—breaking out of Chrome's security isolation layer. This means an attacker could potentially gain full system access from within the constrained renderer environment.

  • CVE-2026-9997HIGH 8.3

    Google Chrome versions prior to 148.0.7778.216 contain a use-after-free vulnerability in the Input component that could allow an attacker to escape the browser's sandbox. The attack requires the attacker to have already compromised Chrome's renderer process and trick a user into visiting a malicious HTML page. If successful, the attacker could break out of the sandbox and gain access to the underlying operating system.

  • CVE-2026-10887HIGH 8.1

    A use-after-free flaw in Chrome's Chromoting remote desktop feature on macOS allows attackers to execute arbitrary code by sending specially crafted network traffic. The vulnerability exists in versions prior to 149.0.7827.53 and requires no user interaction—an attacker on the network can trigger the bug remotely, making this a critical threat to any Mac user running an affected Chrome version.

  • CVE-2026-9964HIGH 8.1

    CVE-2026-9964 is a memory safety vulnerability in Chrome's Bluetooth implementation on macOS that can allow attackers to run malicious code on a victim's computer. The attack requires two user actions: the victim must first install a malicious Chrome extension, and then interact with Bluetooth functionality in a way that triggers the underlying flaw. Once those conditions are met, the attacker can execute arbitrary code with the same privileges as the Chrome process.

  • CVE-2026-40290HIGH 7.8

    OP-TEE is a trusted execution environment that provides a secure processing space on Arm-based processors. A race condition in OP-TEE versions 3.16.0 through 4.10.x creates a use-after-free vulnerability in the shared memory management code. The vulnerability occurs when OP-TEE is configured to manage secure partitions (a specific operational mode). A local user could exploit this by timing concurrent operations on shared memory to cause the system to access memory that has already been freed, potentially compromising the confidentiality, integrity, or availability of the secure environment.

  • CVE-2026-46111HIGH 7.8

    A use-after-free vulnerability exists in the Linux kernel's Bluetooth connection handling code. When creating a Broadcast Isochronous Group (BIG) connection, the kernel can attempt to access a connection object that has already been freed. This occurs because the code doesn't properly validate that a connection still exists before operating on it, and doesn't keep a reference to the connection object while asynchronous operations are in flight. A local attacker with limited privileges could exploit this to crash the system or potentially execute code with elevated privileges.

  • CVE-2026-46116HIGH 7.8

    A memory safety bug exists in the Linux kernel's IPsec implementation where the xfrm_state subsystem can encounter use-after-free errors when network security policies are deleted or when network namespaces are torn down. The kernel's code was using inconsistent methods to track whether data structures were properly removed from internal lists, causing the same memory region to sometimes be deleted twice. This corrupts kernel memory and can lead to privilege escalation or denial of service on affected systems.

  • CVE-2026-46120HIGH 7.8

    A flaw in the Linux kernel's IPv6 GRE tunnel implementation allows a local attacker with unprivileged user namespace capabilities to trigger memory corruption. The vulnerability stems from inconsistent netns (network namespace) handling in the ip6erspan_changelink() function, which fails to use the correct cached network namespace context when reconfiguring an ERSPAN tunnel after it has been migrated between namespaces. This can lead to kernel crashes and potential privilege escalation.

  • CVE-2026-46121HIGH 7.8

    A use-after-free vulnerability exists in the Linux kernel's DAMON (Data Access Monitoring) subsystem, specifically in how it manages memory cgroup path strings through its sysfs interface. When users read and write the 'memcg_path' file concurrently using separate file handles, a race condition can occur where one process reads a pointer to memory that another process has already freed. This allows an attacker with local access to crash the system or potentially execute code with kernel privileges.

  • CVE-2026-46180HIGH 7.8

    A use-after-free vulnerability exists in the Linux kernel's Broadcom Wi-Fi driver (brcmfmac) watchdog task shutdown logic. When the kernel stops the watchdog task, a race condition can occur where the task terminates between two function calls, leaving dangling references that code attempts to access. An attacker with local access can exploit this timing weakness to crash the system or potentially execute code with elevated privileges.

  • CVE-2026-46210HIGH 7.8

    A use-after-free vulnerability exists in the Linux kernel's iris media driver that can be triggered when multiple instances operate concurrently. The flaw arises from a timing gap: while one thread checks video format parameters (width and height) during a macro block validation, another thread may simultaneously free those same format structures. This leaves the checker reading memory that has already been released, potentially crashing the kernel or allowing privilege escalation. The vulnerability requires local access and is triggered through normal kernel operations when multiple media encoding or decoding sessions run in parallel.

  • CVE-2026-46213HIGH 7.8

    A use-after-free vulnerability exists in the Linux kernel's Apple keyboard HID driver (appletb-kbd). When the driver unloads or encounters an error during initialization, a cleanup race condition allows a timer callback to access freed memory. The timer can fire after the backlight device is deallocated but before the driver has fully stopped listening for hardware events, causing kernel memory corruption. An attacker with local access and the ability to trigger driver unload or timing conditions could crash the system or potentially execute code with kernel privileges.

  • CVE-2026-46215HIGH 7.8

    A race condition exists in the Linux kernel's DRM (Direct Rendering Manager) subsystem, specifically in the change_handle function. When an application changes a graphics handle, the kernel briefly maintains two references to the same object in its internal tracking structures. A concurrent operation can delete the graphics object while one reference remains valid, leaving a dangling pointer that could later be dereferenced, causing a crash or potential code execution. The fix involves properly nullifying the old handle before performing operations, matching a defensive pattern already used elsewhere in the DRM code.

  • CVE-2026-46219HIGH 7.8

    A use-after-free vulnerability exists in the Linux kernel's MPC52xx SPI driver. When the driver is unbound (e.g., during module unload or device removal), a scheduled work queue task can attempt to access driver state that has already been freed, potentially leading to memory corruption or a kernel crash. The vulnerability arises from a race condition: the interrupt handler schedules work, but the unbind routine disables interrupts without ensuring the scheduled work completes before freeing resources.

  • CVE-2026-46227HIGH 7.8

    A race condition exists in the Linux kernel's SCTP (Stream Control Transmission Protocol) implementation that can lead to use-after-free or type-confusion memory safety violations. The vulnerability occurs when the kernel broadcasts messages to multiple SCTP associations while temporarily releasing the socket lock. During this window, another thread can migrate or free an association that the broadcast operation cached as the next item to process. This can result in the kernel operating on freed memory or misinterpreting data structures, potentially allowing local attackers to gain control over kernel execution flow.

  • CVE-2026-46240HIGH 7.8

    A use-after-free vulnerability was introduced in the Linux kernel's Iris media driver through a recent change meant to improve buffer lifecycle management. The bug occurs in the iris_release_internal_buffers() function, where a buffer object continues to be accessed after it has been freed by a called function. This type of memory safety issue can allow a local attacker with user-level privileges to corrupt kernel memory or execute arbitrary code with kernel privileges.

  • CVE-2026-46241HIGH 7.8

    CVE-2026-46241 is a use-after-free vulnerability in the Linux kernel's MPC52xx SPI controller driver. When the controller registration process fails, the driver fails to properly clean up allocated interrupt resources. This leaves freed memory accessible, creating a window for potential exploitation and causing a resource leak. The issue affects systems using the MPC52xx SPI controller on Linux and was discovered during a review of related deregistration code.

  • CVE-2026-46242HIGH 7.8

    A use-after-free vulnerability exists in the Linux kernel's eventpoll subsystem that can allow a local attacker with regular user privileges to trigger memory corruption. The flaw occurs when the kernel removes file descriptors from epoll monitoring while another process is simultaneously closing that file. This race condition can lead to the kernel writing data to freed memory or cause slab cache confusion, potentially enabling privilege escalation or denial of service.

  • CVE-2026-46246HIGH 7.8

    A race condition in the Linux kernel's power supply driver (pm8916_lbc) can cause the system to crash or corrupt memory during device removal. The bug stems from a resource initialization order problem: an interrupt handler is registered before its associated data structure (extcon handle) is fully set up. When the device is removed, the data structure gets freed before the interrupt handler is disabled, creating a window where a pending interrupt could try to use already-freed memory. This is a use-after-free vulnerability that requires local access to trigger.

  • CVE-2026-46267HIGH 7.8

    A use-after-free vulnerability exists in the Linux kernel's NFC (Near Field Communication) SHDLC (Synchronous Half-Duplex Link Control) driver. The vulnerability occurs during driver shutdown when memory is freed while background timers and worker threads are still active. These timers and workers can attempt to access the freed memory after it has been released, potentially leading to system crashes or privilege escalation. A local attacker with basic user privileges can trigger this condition.

  • CVE-2026-47331HIGH 7.8

    Ubuntu Linux kernel version 6.8 contains a critical flaw in the AppArmor security module where protective locks are not properly acquired during linked list modifications. This oversight allows an unprivileged local user to create a race condition that results in a use-after-free memory error. While arbitrary code execution is theoretical at this stage, the vulnerability poses a serious risk to system integrity and confidentiality. An attacker with local system access could potentially escalate privileges or compromise sensitive data.

  • CVE-2026-10003HIGH 7.5

    A use-after-free vulnerability in Chrome's Views component allows attackers to execute arbitrary code on affected systems. The flaw requires user interaction—specifically, the victim must perform particular UI gestures after being convinced to visit a malicious webpage. Once triggered, the vulnerability grants the attacker the same privileges as the user running the browser, potentially leading to complete system compromise.

  • CVE-2026-10005HIGH 7.5

    Google Chrome on macOS contains a use-after-free vulnerability in its WebAppInstalls component that can be exploited to execute arbitrary code. An attacker would need to convince a user to perform specific gestures within a crafted HTML page to trigger the flaw. This affects Chrome versions prior to 148.0.7778.216.

  • CVE-2026-10899HIGH 7.5

    A use-after-free vulnerability exists in Google Chrome's Ozone display system on Linux that could allow an attacker to corrupt the browser's memory. If a user is tricked into performing specific UI interactions on a malicious webpage, the attacker could potentially execute code or crash the browser. This flaw affects Chrome versions prior to 149.0.7827.53 on Linux systems.

  • CVE-2026-10900HIGH 7.5

    A use-after-free flaw in Google Chrome's password management feature on macOS allows attackers to corrupt memory and potentially execute code if they trick a user into performing specific interactions with a malicious webpage. The vulnerability requires user interaction and affects Chrome versions before 149.0.7827.53. While rated HIGH by CVSS, the attack surface is narrowed by the need for deliberate user gestures and the complexity of reliable exploitation.

  • CVE-2026-10901HIGH 7.5

    A use-after-free memory flaw exists in Google Chrome's password manager on macOS. An attacker can trigger the vulnerability by convincing a user to interact with a specially crafted webpage in specific ways—for example, through unusual clicking patterns or drag-and-drop actions in the password UI. Successful exploitation allows remote code execution with the privileges of the Chrome process. This is a memory safety issue where the browser continues to reference password manager data after it has been freed, creating an opportunity for malicious code injection.

  • CVE-2026-10906HIGH 7.5

    Google Chrome contains a use-after-free vulnerability in its WebAuthentication implementation that can lead to heap memory corruption. An attacker must craft a malicious HTML page and convince a user to interact with it in a specific way—such as clicking or gesturing within the web interface—to trigger the flaw. Successfully exploiting this could allow the attacker to execute arbitrary code or crash the browser. The vulnerability affects Chrome versions before 149.0.7827.53.

  • CVE-2026-44422HIGH 7.5

    FreeRDP, a widely-used open-source Remote Desktop Protocol client, contains a memory corruption vulnerability in its authentication-redirection subsystem. A malicious RDP server can craft specially-formed authentication data that causes the FreeRDP client to allocate a single heap object but then attempt to free it twice—or use it after the first deallocation. This occurs because the parser doesn't properly track which heap objects correspond to which data structures when the same object reference is reused. The result is a crash or potential code execution on the client machine. The vulnerability requires user interaction (connecting to a malicious server) but affects all FreeRDP versions before 3.26.0.

  • CVE-2026-8829HIGH 7.5

    HTML::Entities, a widely-used Perl library for encoding and decoding HTML entities, contains a use-after-free vulnerability in versions before 3.84. The flaw occurs in the internal _decode_entities function when processing specially crafted entity-reference strings. Under specific conditions—when the input string matches a cached entity value that contains a self-referential entity—the library can read from memory that has already been freed. This potentially exposes adjacent heap contents to an attacker, creating a limited information disclosure risk.

  • CVE-2026-9901HIGH 7.5

    A use-after-free flaw in ANGLE (the graphics abstraction layer used by Chrome) allows an attacker to run malicious code on a target's machine. The attack requires two conditions: the attacker must first compromise Chrome's renderer process (the component that draws web content), and the victim must then visit a specially crafted web page. Once both conditions are met, arbitrary code can execute with the privileges of the compromised renderer process. This affects Chrome versions before 148.0.7778.216.

  • CVE-2026-9922HIGH 7.5

    A use-after-free vulnerability exists in Google Chrome's GPU rendering engine on macOS. The flaw allows an attacker who has already compromised Chrome's renderer process to execute arbitrary code by serving a specially crafted HTML page. This is a post-compromise risk: the attacker must first break into the renderer sandbox, but if successful, can then escalate to full code execution with system privileges. The vulnerability affects Chrome versions prior to 148.0.7778.216 on macOS.

  • CVE-2026-9933HIGH 7.5

    CVE-2026-9933 is a use-after-free memory vulnerability in Google Chrome's input handling code that allows attackers to corrupt heap memory on affected systems. Exploitation requires an attacker to trick a user into performing specific UI interactions (such as unusual mouse or keyboard gestures) while viewing a specially crafted HTML page. This is not a passive drive-by attack; active user participation is required. If successfully exploited, an attacker could execute arbitrary code with the privileges of the Chrome process, leading to complete compromise of the affected user's system.

  • CVE-2026-9934HIGH 7.5

    A use-after-free memory flaw exists in Google Chrome's Aura component (which handles window management and input) before version 148.0.7778.216. An attacker could exploit this by convincing a user to interact with a specially crafted webpage using specific mouse or keyboard gestures. Successful exploitation would allow the attacker to run arbitrary code on the victim's machine with the privileges of the Chrome process.

  • CVE-2026-9954HIGH 7.5

    A use-after-free vulnerability exists in Google Chrome's TabStrip component that can lead to memory corruption. An attacker must trick a user into performing specific UI interactions (like clicking or dragging tabs in a particular sequence) on a malicious website to potentially trigger the flaw. Successful exploitation could allow the attacker to read sensitive data, modify page content, or crash the browser. The vulnerability affects Chrome versions prior to 148.0.7778.216 across Windows, macOS, and Linux.

  • CVE-2026-9956HIGH 7.5

    A use-after-free vulnerability in Google Chrome on iOS allows remote attackers to execute arbitrary code if a user can be tricked into performing specific gestures on a malicious webpage. The vulnerability requires user interaction but doesn't require special privileges or system access, making it a realistic attack vector for threat actors hosting compromised or attacker-controlled sites.

  • CVE-2026-9990HIGH 7.5

    Google Chrome on macOS contains a use-after-free vulnerability in its web app installation feature that could allow an attacker to corrupt memory on a user's system. The vulnerability requires a user to perform specific interactions with a malicious webpage, but once triggered, it could potentially give an attacker the ability to read sensitive data, modify files, or crash the browser. The issue affects Chrome versions before 148.0.7778.216 on Mac systems.

  • CVE-2026-46154HIGH 7.0

    A race condition exists in the Linux kernel's scheduler extension (sched_ext) cgroup interface that can lead to use-after-free memory access. When system administrators adjust cgroup scheduling parameters like weight, idle status, or bandwidth, the kernel reads a pointer to the scheduler without proper synchronization. If another process simultaneously disables and re-enables a different scheduler, the cached pointer becomes stale and points to freed memory. When the original operation tries to use this pointer, it dereferences already-freed kernel memory, potentially allowing local privilege escalation.

  • CVE-2026-10703MEDIUM 6.3

    A use-after-free memory safety flaw exists in EIPStackGroup OpENer versions up to 2.3.0 within the SendRRData request handler. An authenticated attacker can remotely trigger memory corruption by crafting malicious messages, potentially leading to information disclosure or service disruption. The vulnerability has been publicly disclosed but the vendor has not yet acknowledged or released a patch.

  • CVE-2025-60486MEDIUM 5.5

    A memory safety flaw in GPAC's MP4Box tool allows an attacker to crash the application by processing a specially crafted MPEG-2 video file. The vulnerability stems from improper memory management in the dasher_process function—specifically, the code attempts to access memory that has already been freed. An attacker with local file access can exploit this by distributing a malicious video file that, when opened in MP4Box, triggers the defect and renders the tool unusable. This is a denial-of-service issue rather than a path to code execution or data theft.

  • CVE-2026-10232MEDIUM 5.3

    CVE-2026-10232 is a use-after-free vulnerability in Assimp, an open-source 3D model import library, affecting versions up to 6.0.4. The flaw exists in the ASE file parser component and can be triggered by a local attacker with user-level privileges when processing specially crafted ASE (ASCII Scene Export) files. Exploitation could allow an attacker to read sensitive data, modify application state, or crash the process. Because exploitation requires local access and user permissions, the risk is primarily relevant in multi-user systems or scenarios where untrusted ASE files are processed by privileged applications.

  • CVE-2026-50219MEDIUM 4.9

    libexpat, a widely-used XML parsing library, contains a use-after-free vulnerability in versions before 2.8.2. The flaw occurs when certain XML parsing functions (XML_GetBuffer, XML_Parse, XML_ParseBuffer, XML_ParserFree, or XML_ParserReset) are called from within event handlers without proper depth tracking. This can lead to memory safety violations and potentially allow attackers to crash applications or, in some scenarios, execute arbitrary code. The vulnerability requires local access and specific conditions to trigger, making it a moderate-risk issue rather than a widespread internet-facing threat.