Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-7531

Summary
Assigner-wolfSSL
Assigner Org ID-50d2cd11-d01a-48ed-9441-5bfce9d63b27
Published At-25 Jun, 2026 | 20:01
Updated At-26 Jun, 2026 | 13:17
Rejected At-
Credits

Use-after-free in PQC hybrid key-share handling

Use-after-free in PQC hybrid key-share handling. This is an incomplete-fix follow-up to CVE-2026-5460 (released in 5.9.1): a malicious TLS 1.3 server sending a truncated PQC hybrid KeyShare can still trigger the error cleanup path to operate on freed memory.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:wolfSSL
Assigner Org ID:50d2cd11-d01a-48ed-9441-5bfce9d63b27
Published At:25 Jun, 2026 | 20:01
Updated At:26 Jun, 2026 | 13:17
Rejected At:
▼CVE Numbering Authority (CNA)
Use-after-free in PQC hybrid key-share handling

Use-after-free in PQC hybrid key-share handling. This is an incomplete-fix follow-up to CVE-2026-5460 (released in 5.9.1): a malicious TLS 1.3 server sending a truncated PQC hybrid KeyShare can still trigger the error cleanup path to operate on freed memory.

Affected Products
Vendor
wolfSSL
Product
wolfSSL
Collection URL
https://github.com/wolfSSL/wolfssl
Default Status
unaffected
Versions
Affected
  • From 5.8.0 through 5.9.1 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-416CWE-416 Use After Free
Type: CWE
CWE ID: CWE-416
Description: CWE-416 Use After Free
Metrics
VersionBase scoreBase severityVector
4.02.3LOW
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
Version: 4.0
Base score: 2.3
Base severity: LOW
Vector:
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

finder
Thai Duong (Calif.io / Anthropic)
Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/wolfSSL/wolfssl/pull/10327
patch
https://www.wolfssl.com/docs/security-vulnerabilities/
N/A
Hyperlink: https://github.com/wolfSSL/wolfssl/pull/10327
Resource:
patch
Hyperlink: https://www.wolfssl.com/docs/security-vulnerabilities/
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:facts@wolfssl.com
Published At:25 Jun, 2026 | 20:17
Updated At:26 Jun, 2026 | 16:53

Use-after-free in PQC hybrid key-share handling. This is an incomplete-fix follow-up to CVE-2026-5460 (released in 5.9.1): a malicious TLS 1.3 server sending a truncated PQC hybrid KeyShare can still trigger the error cleanup path to operate on freed memory.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.02.3LOW
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
N/A
Type: Secondary
Version: 4.0
Base score: 2.3
Base severity: LOW
Vector:
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Primary
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: N/A
Version:
Base score:
Base severity: N/A
Vector:
CPE Matches

wolfssl
wolfssl
>>wolfssl>>Versions from 5.8.0(inclusive) to 5.9.2(exclusive)
cpe:2.3:a:wolfssl:wolfssl:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-416Secondaryfacts@wolfssl.com
CWE ID: CWE-416
Type: Secondary
Source: facts@wolfssl.com
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://github.com/wolfSSL/wolfssl/pull/10327facts@wolfssl.com
Issue Tracking
Patch
https://www.wolfssl.com/docs/security-vulnerabilities/facts@wolfssl.com
Vendor Advisory
Hyperlink: https://github.com/wolfSSL/wolfssl/pull/10327
Source: facts@wolfssl.com
Resource:
Issue Tracking
Patch
Hyperlink: https://www.wolfssl.com/docs/security-vulnerabilities/
Source: facts@wolfssl.com
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

369Records found

CVE-2025-14942
Matching Score-8
Assigner-wolfSSL Inc.
ShareView Details
Matching Score-8
Assigner-wolfSSL Inc.
CVSS Score-9.4||CRITICAL
EPSS-0.35% / 26.95%
||
7 Day CHG~0.00%
Published-06 Jan, 2026 | 17:26
Updated-12 Jan, 2026 | 17:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authentication Bypass

wolfSSH’s key exchange state machine can be manipulated to leak the client’s password in the clear, trick the client to send a bogus signature, or trick the client into skipping user authentication. This affects client applications with wolfSSH version 1.4.21 and earlier. Users of wolfSSH must update or apply the fix patch and it’s recommended to update credentials used. This fix is also recommended for wolfSSH server applications. While there aren’t any specific attacks on server applications, the same defect is present. Thanks to Aina Toky Rasoamanana of Valeo and Olivier Levillain of Telecom SudParis for the report.

Action-Not Available
Vendor-wolfsshwolfSSL
Product-wolfsshwolfSSH
CWE ID-CWE-287
Improper Authentication
CVE-2025-11625
Matching Score-8
Assigner-wolfSSL Inc.
ShareView Details
Matching Score-8
Assigner-wolfSSL Inc.
CVSS Score-9.4||CRITICAL
EPSS-0.41% / 33.16%
||
7 Day CHG~0.00%
Published-21 Oct, 2025 | 13:25
Updated-06 Jan, 2026 | 17:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Host verification bypass and credential leak

Improper host authentication vulnerability in wolfSSH version 1.4.20 and earlier clients that allows authentication bypass and leaking of clients credentials.

Action-Not Available
Vendor-wolfsshwolfSSL
Product-wolfsshwolfSSH
CWE ID-CWE-287
Improper Authentication
CVE-2019-16748
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.15% / 63.13%
||
7 Day CHG~0.00%
Published-24 Sep, 2019 | 12:12
Updated-05 Aug, 2024 | 01:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In wolfSSL through 4.1.0, there is a missing sanity check of memory accesses in parsing ASN.1 certificate data while handshaking. Specifically, there is a one-byte heap-based buffer over-read in CheckCertSignature_ex in wolfcrypt/src/asn.c.

Action-Not Available
Vendor-wolfssln/a
Product-wolfssln/a
CWE ID-CWE-125
Out-of-bounds Read
CVE-2019-11873
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-8.78% / 94.53%
||
7 Day CHG~0.00%
Published-23 May, 2019 | 12:54
Updated-04 Aug, 2024 | 23:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

wolfSSL 4.0.0 has a Buffer Overflow in DoPreSharedKeys in tls13.c when a current identity size is greater than a client identity size. An attacker sends a crafted hello client packet over the network to a TLSv1.3 wolfSSL server. The length fields of the packet: record length, client hello length, total extensions length, PSK extension length, total identity length, and identity length contain their maximum value which is 2^16. The identity data field of the PSK extension of the packet contains the attack data, to be stored in the undefined memory (RAM) of the server. The size of the data is about 65 kB. Possibly the attacker can perform a remote code execution attack.

Action-Not Available
Vendor-wolfssln/a
Product-wolfssln/a
CWE ID-CWE-787
Out-of-bounds Write
CVE-2026-5187
Matching Score-8
Assigner-wolfSSL Inc.
ShareView Details
Matching Score-8
Assigner-wolfSSL Inc.
CVSS Score-2.3||LOW
EPSS-0.28% / 20.13%
||
7 Day CHG~0.00%
Published-09 Apr, 2026 | 19:45
Updated-16 Apr, 2026 | 20:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Heap Out-of-Bounds Write in DecodeObjectId() in wolfSSL

Two potential heap out-of-bounds write locations existed in DecodeObjectId() in wolfcrypt/src/asn.c. First, a bounds check only validates one available slot before writing two OID arc values (out[0] and out[1]), enabling a 2-byte out-of-bounds write when outSz equals 1. Second, multiple callers pass sizeof(decOid) (64 bytes on 64-bit platforms) instead of the element count MAX_OID_SZ (32), causing the function to accept crafted OIDs with 33 or more arcs that write past the end of the allocated buffer.

Action-Not Available
Vendor-wolfsslwolfSSL
Product-wolfsslwolfSSL
CWE ID-CWE-122
Heap-based Buffer Overflow
CWE ID-CWE-787
Out-of-bounds Write
CVE-2026-5264
Matching Score-8
Assigner-wolfSSL Inc.
ShareView Details
Matching Score-8
Assigner-wolfSSL Inc.
CVSS Score-8.3||HIGH
EPSS-0.45% / 35.75%
||
7 Day CHG~0.00%
Published-09 Apr, 2026 | 21:43
Updated-29 Apr, 2026 | 17:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
DTLS 1.3 ACK heap buffer overflow

Heap buffer overflow in DTLS 1.3 ACK message processing. A remote attacker can send a crafted DTLS 1.3 ACK message that triggers a heap buffer overflow.

Action-Not Available
Vendor-wolfsslwolfSSL
Product-wolfsslwolfSSL
CWE ID-CWE-122
Heap-based Buffer Overflow
CVE-2026-4395
Matching Score-8
Assigner-wolfSSL Inc.
ShareView Details
Matching Score-8
Assigner-wolfSSL Inc.
CVSS Score-1.3||LOW
EPSS-0.34% / 26.36%
||
7 Day CHG~0.00%
Published-19 Mar, 2026 | 20:41
Updated-26 Mar, 2026 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Heap-based buffer overflow in wc_ecc_import_x963_ex KCAPI path

Heap-based buffer overflow in the KCAPI ECC code path of wc_ecc_import_x963_ex() in wolfSSL wolfcrypt allows a remote attacker to write attacker-controlled data past the bounds of the pubkey_raw buffer via a crafted oversized EC public key point. The WOLFSSL_KCAPI_ECC code path copies the input to key->pubkey_raw (132 bytes) using XMEMCPY without a bounds check, unlike the ATECC code path which includes a length validation. This can be triggered during TLS key exchange when a malicious peer sends a crafted ECPoint in ServerKeyExchange.

Action-Not Available
Vendor-wolfsslwolfSSL
Product-wolfsslwolfssl
CWE ID-CWE-122
Heap-based Buffer Overflow
CVE-2026-3849
Matching Score-8
Assigner-wolfSSL Inc.
ShareView Details
Matching Score-8
Assigner-wolfSSL Inc.
CVSS Score-6.9||MEDIUM
EPSS-0.44% / 35.57%
||
7 Day CHG~0.00%
Published-19 Mar, 2026 | 20:29
Updated-26 Mar, 2026 | 18:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Buffer Overflow in HPKE via Oversized ECH Config

Stack Buffer Overflow in wc_HpkeLabeledExtract via Oversized ECH Config. A vulnerability existed in wolfSSL 5.8.4 ECH (Encrypted Client Hello) support, where a maliciously crafted ECH config could cause a stack buffer overflow on the client side, leading to potential remote execution and client program crash. This could be exploited by a malicious TLS server supporting ECH. Note that ECH is off by default, and is only enabled with enable-ech.

Action-Not Available
Vendor-wolfsslwolfSSL Inc.
Product-wolfsslwolfSSL
CWE ID-CWE-787
Out-of-bounds Write
CVE-2026-3548
Matching Score-8
Assigner-wolfSSL Inc.
ShareView Details
Matching Score-8
Assigner-wolfSSL Inc.
CVSS Score-7.2||HIGH
EPSS-0.47% / 37.34%
||
7 Day CHG~0.00%
Published-19 Mar, 2026 | 17:45
Updated-29 Apr, 2026 | 18:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Buffer overflow in CRL number parsing in wolfSSL

Two buffer overflow vulnerabilities existed in the wolfSSL CRL parser when parsing CRL numbers: a heap-based buffer overflow could occur when improperly storing the CRL number as a hexadecimal string, and a stack-based overflow for sufficiently sized CRL numbers. With appropriately crafted CRLs, either of these out of bound writes could be triggered. Note this only affects builds that specifically enable CRL support, and the user would need to load a CRL from an untrusted source.

Action-Not Available
Vendor-wolfsslwolfSSL
Product-wolfsslwolfSSL
CWE ID-CWE-122
Heap-based Buffer Overflow
CWE ID-CWE-787
Out-of-bounds Write
CVE-2026-3549
Matching Score-8
Assigner-wolfSSL Inc.
ShareView Details
Matching Score-8
Assigner-wolfSSL Inc.
CVSS Score-8.3||HIGH
EPSS-0.49% / 38.40%
||
7 Day CHG~0.00%
Published-19 Mar, 2026 | 20:09
Updated-26 Mar, 2026 | 18:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ECH parsing heap buffer overflow

Heap Overflow in TLS 1.3 ECH parsing. An integer underflow existed in ECH extension parsing logic when calculating a buffer length, which resulted in writing beyond the bounds of an allocated buffer. Note that in wolfSSL, ECH is off by default, and the ECH standard is still evolving.

Action-Not Available
Vendor-wolfsslwofSSL
Product-wolfsslwolfSSL
CWE ID-CWE-122
Heap-based Buffer Overflow
CVE-2017-2800
Matching Score-8
Assigner-Talos
ShareView Details
Matching Score-8
Assigner-Talos
CVSS Score-8.1||HIGH
EPSS-8.53% / 94.39%
||
7 Day CHG~0.00%
Published-24 May, 2017 | 14:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A specially crafted x509 certificate can cause a single out of bounds byte overwrite in wolfSSL through 3.10.2 resulting in potential certificate validation vulnerabilities, denial of service and possible remote code execution. In order to trigger this vulnerability, the attacker needs to supply a malicious x509 certificate to either a server or a client application using this library.

Action-Not Available
Vendor-wolfsslwolfSSL
Product-wolfsslwolfSSL
CWE ID-CWE-295
Improper Certificate Validation
CVE-2021-37155
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.49% / 71.02%
||
7 Day CHG~0.00%
Published-21 Jul, 2021 | 13:43
Updated-04 Aug, 2024 | 01:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

wolfSSL 4.6.x through 4.7.x before 4.8.0 does not produce a failure outcome when the serial number in an OCSP request differs from the serial number in the OCSP response.

Action-Not Available
Vendor-wolfssln/a
Product-wolfssln/a
CVE-2025-7394
Matching Score-8
Assigner-wolfSSL Inc.
ShareView Details
Matching Score-8
Assigner-wolfSSL Inc.
CVSS Score-7||HIGH
EPSS-0.39% / 30.66%
||
7 Day CHG~0.00%
Published-18 Jul, 2025 | 22:34
Updated-03 Dec, 2025 | 15:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In the OpenSSL compatibility layer implementation, the function RAND_poll() was not behaving as expected and leading to the potential for predictable values returned from RAND_bytes() after fork() is called. This can lead to weak or predictable random numbers generated in applications that are both using RAND_bytes() and doing fork() operations. This only affects applications explicitly calling RAND_bytes() after fork() and does not affect any internal TLS operations. Although RAND_bytes() documentation in OpenSSL calls out not being safe for use with fork() without first calling RAND_poll(), an additional code change was also made in wolfSSL to make RAND_bytes() behave similar to OpenSSL after a fork() call without calling RAND_poll(). Now the Hash-DRBG used gets reseeded after detecting running in a new process. If making use of RAND_bytes() and calling fork() we recommend updating to the latest version of wolfSSL. Thanks to Per Allansson from Appgate for the report.

Action-Not Available
Vendor-wolfsslwolfSSL
Product-wolfsslwolfSSL
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-338
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
CVE-2014-2898
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.77% / 84.54%
||
7 Day CHG~0.00%
Published-28 Jan, 2020 | 15:42
Updated-06 Aug, 2024 | 10:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

wolfSSL CyaSSL before 2.9.4 allows remote attackers to have unspecified impact via multiple calls to the CyaSSL_read function which triggers an out-of-bounds read when an error occurs, related to not checking the return code and MAC verification failure.

Action-Not Available
Vendor-wolfssln/a
Product-wolfssln/a
CWE ID-CWE-125
Out-of-bounds Read
CVE-2014-2897
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.77% / 84.54%
||
7 Day CHG~0.00%
Published-28 Jan, 2020 | 15:41
Updated-06 Aug, 2024 | 10:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The SSL 3 HMAC functionality in wolfSSL CyaSSL 2.5.0 before 2.9.4 does not check the padding length when verification fails, which allows remote attackers to have unspecified impact via a crafted HMAC, which triggers an out-of-bounds read.

Action-Not Available
Vendor-wolfssln/a
Product-wolfssln/a
CWE ID-CWE-125
Out-of-bounds Read
CVE-2014-2896
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.77% / 84.54%
||
7 Day CHG~0.00%
Published-28 Jan, 2020 | 15:41
Updated-06 Aug, 2024 | 10:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The DoAlert function in the (1) TLS and (2) DTLS implementations in wolfSSL CyaSSL before 2.9.4 allows remote attackers to have unspecified impact and vectors, which trigger memory corruption or an out-of-bounds read.

Action-Not Available
Vendor-wolfssln/a
Product-wolfssln/a
CWE ID-CWE-125
Out-of-bounds Read
CVE-2020-36177
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-3.52% / 87.82%
||
7 Day CHG~0.00%
Published-06 Jan, 2021 | 15:54
Updated-04 Aug, 2024 | 17:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

RsaPad_PSS in wolfcrypt/src/rsa.c in wolfSSL before 4.6.0 has an out-of-bounds write for certain relationships between key size and digest size.

Action-Not Available
Vendor-wolfssln/a
Product-wolfssln/a
CWE ID-CWE-787
Out-of-bounds Write
CVE-2026-5460
Matching Score-6
Assigner-wolfSSL Inc.
ShareView Details
Matching Score-6
Assigner-wolfSSL Inc.
CVSS Score-6.3||MEDIUM
EPSS-0.27% / 19.30%
||
7 Day CHG~0.00%
Published-09 Apr, 2026 | 23:29
Updated-29 Apr, 2026 | 14:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Heap Use-After-Free in PQC Hybrid KeyShare Error Cleanup in wolfSSL TLS 1.3

A heap use-after-free exists in wolfSSL's TLS 1.3 post-quantum cryptography (PQC) hybrid KeyShare processing. In the error handling path of TLSX_KeyShare_ProcessPqcHybridClient() in src/tls.c, the inner function TLSX_KeyShare_ProcessPqcClient_ex() frees a KyberKey object upon encountering an error. The caller then invokes TLSX_KeyShare_FreeAll(), which attempts to call ForceZero() on the already-freed KyberKey, resulting in writes of zero bytes over freed heap memory.

Action-Not Available
Vendor-wolfsslwolfSSL
Product-wolfsslwolfSSL
CWE ID-CWE-416
Use After Free
CVE-2026-8695
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-8.7||HIGH
EPSS-0.63% / 45.62%
||
7 Day CHG~0.00%
Published-15 May, 2026 | 17:01
Updated-18 May, 2026 | 18:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
radare2 6.1.5 Use-After-Free via gdbr_threads_list()

radare2 6.1.5 contains a use-after-free vulnerability in the gdbr_threads_list() function that allows remote attackers to trigger memory corruption by sending a valid qfThreadInfo response followed by a malformed qsThreadInfo response. Attackers can exploit this vulnerability through GDB remote debugging to cause a denial of service or potentially achieve code execution by manipulating thread list processing.

Action-Not Available
Vendor-Radare2 (r2)
Product-radare2radare2
CWE ID-CWE-416
Use After Free
CVE-2026-8696
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-8.7||HIGH
EPSS-0.60% / 44.49%
||
7 Day CHG~0.00%
Published-15 May, 2026 | 20:52
Updated-19 May, 2026 | 14:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
radare2 6.1.5 Use-After-Free via gdbr_pids_list()

radare2 6.1.5 contains a use-after-free vulnerability in the gdbr_pids_list() function within the GDB client core that allows remote attackers to cause a denial of service or potentially execute arbitrary code by sending malformed thread information responses. Attackers can trigger the vulnerability by causing qsThreadInfo to fail after qfThreadInfo successfully allocates RDebugPid structures, resulting in double-free memory corruption when the error path attempts to clean up the list.

Action-Not Available
Vendor-Radare2 (r2)
Product-radare2radare2
CWE ID-CWE-416
Use After Free
CVE-2014-1486
Matching Score-4
Assigner-Mozilla Corporation
ShareView Details
Matching Score-4
Assigner-Mozilla Corporation
CVSS Score-9.8||CRITICAL
EPSS-7.07% / 93.44%
||
7 Day CHG~0.00%
Published-06 Feb, 2014 | 02:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Use-after-free vulnerability in the imgRequestProxy function in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, and SeaMonkey before 2.24 allows remote attackers to execute arbitrary code via vectors involving unspecified Content-Type values for image data.

Action-Not Available
Vendor-n/aCanonical Ltd.openSUSESUSERed Hat, Inc.Mozilla CorporationDebian GNU/LinuxFedora Project
Product-thunderbirdsuse_linux_enterprise_software_development_kitdebian_linuxubuntu_linuxseamonkeyenterprise_linux_server_tusenterprise_linux_desktopenterprise_linux_server_ausfedorafirefoxenterprise_linux_serverenterprise_linux_workstationsuse_linux_enterprise_serverenterprise_linux_eussuse_linux_enterprise_desktopopensusen/a
CWE ID-CWE-416
Use After Free
CVE-2014-1532
Matching Score-4
Assigner-Mozilla Corporation
ShareView Details
Matching Score-4
Assigner-Mozilla Corporation
CVSS Score-9.8||CRITICAL
EPSS-4.65% / 90.61%
||
7 Day CHG~0.00%
Published-30 Apr, 2014 | 10:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Use-after-free vulnerability in the nsHostResolver::ConditionallyRefreshRecord function in libxul.so in Mozilla Firefox before 29.0, Firefox ESR 24.x before 24.5, Thunderbird before 24.5, and SeaMonkey before 2.26 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via vectors related to host resolution.

Action-Not Available
Vendor-n/aCanonical Ltd.openSUSESUSERed Hat, Inc.Mozilla CorporationDebian GNU/LinuxFedora Project
Product-thunderbirdenterprise_linux_eusfirefoxubuntu_linuxseamonkeydebian_linuxenterprise_linux_serverenterprise_linux_workstationsuse_linux_enterprise_serverenterprise_linux_server_tusenterprise_linux_desktopenterprise_linux_server_eusenterprise_linux_server_ausfedoraopensusen/a
CWE ID-CWE-416
Use After Free
CVE-2025-26623
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.82% / 52.63%
||
7 Day CHG~0.00%
Published-18 Feb, 2025 | 19:24
Updated-02 Sep, 2025 | 21:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Use After Free in Exiv2

Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. A heap buffer overflow was found in Exiv2 versions v0.28.0 to v0.28.4. Versions prior to v0.28.0, such as v0.27.7, are **not** affected. Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. The heap overflow is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to gain code execution, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when writing the metadata, which is a less frequently used Exiv2 operation than reading the metadata. For example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line argument such as `fixiso`. The bug is fixed in version v0.28.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Action-Not Available
Vendor-Exiv2
Product-exiv2exiv2
CWE ID-CWE-416
Use After Free
CVE-2025-25568
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.54% / 41.61%
||
7 Day CHG~0.00%
Published-12 Mar, 2025 | 00:00
Updated-19 Jul, 2025 | 02:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SoftEtherVPN 5.02.5187 is vulnerable to Use after Free in the Command.c file via the CheckNetworkAcceptThread function. NOTE: the Supplier disputes this because the use-after-free is not in the VPN software, but is instead in a separate tool that has no untrusted input and runs under the user's own privileges (it is a stress-testing tool for a networking stack).

Action-Not Available
Vendor-softethern/a
Product-vpnn/a
CWE ID-CWE-416
Use After Free
CVE-2026-9158
Matching Score-4
Assigner-Eclipse Foundation
ShareView Details
Matching Score-4
Assigner-Eclipse Foundation
CVSS Score-5.2||MEDIUM
EPSS-0.30% / 22.14%
||
7 Day CHG+0.15%
Published-18 Jun, 2026 | 14:10
Updated-02 Jul, 2026 | 20:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Eclipse 4diac FORTE versions 3.0.0 to 3.1.0, a specially crafted DELETE connection command to the management interface can lead to a dangling pointer. This allows subsequent commands to access freed memory (use-after-free).

Action-Not Available
Vendor-Eclipse Foundation AISBL
Product-4diac_forteEclipse 4diac
CWE ID-CWE-416
Use After Free
CVE-2025-22408
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
ShareView Details
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
CVSS Score-9.8||CRITICAL
EPSS-0.37% / 29.42%
||
7 Day CHG~0.00%
Published-26 Aug, 2025 | 22:48
Updated-02 Sep, 2025 | 18:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In rfc_check_send_cmd of rfc_utils.cc, there is a possible way to execute arbitrary code due to a use after free. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

Action-Not Available
Vendor-Google LLC
Product-androidAndroid
CWE ID-CWE-416
Use After Free
CVE-2020-9895
Matching Score-4
Assigner-Apple Inc.
ShareView Details
Matching Score-4
Assigner-Apple Inc.
CVSS Score-9.8||CRITICAL
EPSS-4.14% / 89.60%
||
7 Day CHG~0.00%
Published-16 Oct, 2020 | 16:40
Updated-04 Aug, 2024 | 10:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A use after free issue was addressed with improved memory management. This issue is fixed in iOS 13.6 and iPadOS 13.6, tvOS 13.4.8, watchOS 6.2.8, Safari 13.1.2, iTunes 12.10.8 for Windows, iCloud for Windows 11.3, iCloud for Windows 7.20. A remote attacker may be able to cause unexpected application termination or arbitrary code execution.

Action-Not Available
Vendor-Apple Inc.
Product-itunesiphone_oswatchosipadostvossafariicloudiTunes for WindowswatchOSiCloud for WindowsSafariiOSiCloud for Windows (Legacy)tvOS
CWE ID-CWE-416
Use After Free
CVE-2025-22403
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
ShareView Details
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
CVSS Score-9.8||CRITICAL
EPSS-0.37% / 29.42%
||
7 Day CHG~0.00%
Published-26 Aug, 2025 | 22:48
Updated-02 Sep, 2025 | 18:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In sdp_snd_service_search_req of sdp_discovery.cc, there is a possible way to execute arbitrary code due to a use after free. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

Action-Not Available
Vendor-Google LLC
Product-androidAndroid
CWE ID-CWE-416
Use After Free
CVE-2013-5616
Matching Score-4
Assigner-Mozilla Corporation
ShareView Details
Matching Score-4
Assigner-Mozilla Corporation
CVSS Score-9.8||CRITICAL
EPSS-6.67% / 93.08%
||
7 Day CHG~0.00%
Published-11 Dec, 2013 | 15:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Use-after-free vulnerability in the nsEventListenerManager::HandleEventSubType function in Mozilla Firefox before 26.0, Firefox ESR 24.x before 24.2, Thunderbird before 24.2, and SeaMonkey before 2.23 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via vectors related to mListeners event listeners.

Action-Not Available
Vendor-n/aCanonical Ltd.openSUSESUSERed Hat, Inc.Mozilla CorporationFedora Project
Product-thunderbirdsuse_linux_enterprise_software_development_kitubuntu_linuxseamonkeyenterprise_linux_server_tusenterprise_linux_desktopenterprise_linux_server_eusenterprise_linux_server_ausfedorafirefoxenterprise_linux_serverenterprise_linux_workstationsuse_linux_enterprise_serverenterprise_linux_eussuse_linux_enterprise_desktopopensusen/a
CWE ID-CWE-416
Use After Free
CVE-2025-21298
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-9.8||CRITICAL
EPSS-80.91% / 99.58%
||
7 Day CHG~0.00%
Published-14 Jan, 2025 | 18:03
Updated-09 Jun, 2026 | 18:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Windows OLE Remote Code Execution Vulnerability

Windows OLE Remote Code Execution Vulnerability

Action-Not Available
Vendor-Microsoft Corporation
Product-windows_10_1607windows_10_1809windows_server_2008windows_11_24h2windows_11_22h2windows_server_2012windows_server_2016windows_server_2022windows_server_2022_23h2windows_10_21h2windows_10_1507windows_server_2019windows_10_22h2windows_server_2025windows_11_23h2Windows 11 Version 23H2Windows Server 2008 R2 Service Pack 1 (Server Core installation)Windows Server 2016Windows 10 Version 1607Windows Server 2019 (Server Core installation)Windows Server 2019Windows Server 2012 R2 (Server Core installation)Windows Server 2008 R2 Service Pack 1Windows 10 Version 21H2Windows 10 Version 1507Windows 11 Version 24H2Windows Server 2008 Service Pack 2 (Server Core installation)Windows 11 version 22H3Windows Server 2008 Service Pack 2Windows Server 2016 (Server Core installation)Windows Server 2025 (Server Core installation)Windows 10 Version 1809Windows Server 2012 (Server Core installation)Windows Server 2022, 23H2 Edition (Server Core installation)Windows 11 version 22H2Windows Server 2025Windows Server 2022Windows Server 2012Windows 10 Version 22H2Windows Server 2012 R2
CWE ID-CWE-416
Use After Free
CVE-2013-5618
Matching Score-4
Assigner-Mozilla Corporation
ShareView Details
Matching Score-4
Assigner-Mozilla Corporation
CVSS Score-9.8||CRITICAL
EPSS-10.41% / 95.18%
||
7 Day CHG~0.00%
Published-11 Dec, 2013 | 15:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Use-after-free vulnerability in the nsNodeUtils::LastRelease function in the table-editing user interface in the editor component in Mozilla Firefox before 26.0, Firefox ESR 24.x before 24.2, Thunderbird before 24.2, and SeaMonkey before 2.23 allows remote attackers to execute arbitrary code by triggering improper garbage collection.

Action-Not Available
Vendor-n/aCanonical Ltd.openSUSESUSERed Hat, Inc.Mozilla CorporationFedora Project
Product-thunderbirdsuse_linux_enterprise_software_development_kitubuntu_linuxseamonkeyenterprise_linux_server_tusenterprise_linux_desktopenterprise_linux_server_eusenterprise_linux_server_ausfedorafirefoxenterprise_linux_serverenterprise_linux_workstationsuse_linux_enterprise_serverenterprise_linux_eussuse_linux_enterprise_desktopopensusen/a
CWE ID-CWE-416
Use After Free
CVE-2013-5613
Matching Score-4
Assigner-Mozilla Corporation
ShareView Details
Matching Score-4
Assigner-Mozilla Corporation
CVSS Score-9.8||CRITICAL
EPSS-9.45% / 94.82%
||
7 Day CHG~0.00%
Published-11 Dec, 2013 | 15:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Use-after-free vulnerability in the PresShell::DispatchSynthMouseMove function in Mozilla Firefox before 26.0, Firefox ESR 24.x before 24.2, Thunderbird before 24.2, and SeaMonkey before 2.23 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via vectors involving synthetic mouse movement, related to the RestyleManager::GetHoverGeneration function.

Action-Not Available
Vendor-n/aCanonical Ltd.openSUSESUSERed Hat, Inc.Mozilla CorporationFedora Project
Product-thunderbirdsuse_linux_enterprise_software_development_kitubuntu_linuxseamonkeyenterprise_linux_server_tusenterprise_linux_desktopenterprise_linux_server_eusenterprise_linux_server_ausfedorafirefoxenterprise_linux_serverenterprise_linux_workstationsuse_linux_enterprise_serverenterprise_linux_eussuse_linux_enterprise_desktopopensusen/a
CWE ID-CWE-416
Use After Free
CVE-2025-21307
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.84% / 76.39%
||
7 Day CHG~0.00%
Published-14 Jan, 2025 | 18:04
Updated-09 Jun, 2026 | 18:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Windows Reliable Multicast Transport Driver (RMCAST) Remote Code Execution Vulnerability

Windows Reliable Multicast Transport Driver (RMCAST) Remote Code Execution Vulnerability

Action-Not Available
Vendor-Microsoft Corporation
Product-windows_10_1607windows_10_1809windows_server_2008windows_11_24h2windows_11_22h2windows_server_2012windows_server_2016windows_server_2022windows_server_2022_23h2windows_10_21h2windows_10_1507windows_server_2019windows_10_22h2windows_server_2025windows_11_23h2Windows 11 Version 23H2Windows Server 2008 R2 Service Pack 1 (Server Core installation)Windows Server 2016Windows 10 Version 1607Windows Server 2019 (Server Core installation)Windows Server 2019Windows Server 2012 R2 (Server Core installation)Windows Server 2008 R2 Service Pack 1Windows 10 Version 21H2Windows 10 Version 1507Windows 11 Version 24H2Windows Server 2008 Service Pack 2 (Server Core installation)Windows 11 version 22H3Windows Server 2008 Service Pack 2Windows Server 2016 (Server Core installation)Windows Server 2025 (Server Core installation)Windows 10 Version 1809Windows Server 2012 (Server Core installation)Windows Server 2022, 23H2 Edition (Server Core installation)Windows 11 version 22H2Windows Server 2025Windows Server 2022Windows Server 2012Windows 10 Version 22H2Windows Server 2012 R2
CWE ID-CWE-416
Use After Free
CVE-2026-6722
Matching Score-4
Assigner-PHP Group
ShareView Details
Matching Score-4
Assigner-PHP Group
CVSS Score-9.5||CRITICAL
EPSS-0.74% / 50.07%
||
7 Day CHG+0.23%
Published-10 May, 2026 | 04:19
Updated-02 Jul, 2026 | 12:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Use-After-Free in SOAP using Apache map

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension's object deduplication mechanism stores pointers to PHP objects in a global map without incrementing their reference counts. When an apache:Map node contains duplicate keys, processing the second entry overwrites the first in the temporary result map, freeing the original PHP object while its stale pointer remains in the map. A subsequent href reference to the freed node can copy the dangling pointer into the result. As PHP string allocations can reclaim the freed memory region, an attacker with control over the SOAP request body can exploit this use-after-free to achieve remote code execution.

Action-Not Available
Vendor-Red Hat, Inc.The PHP Group
Product-phpPHPRed Hat Enterprise Linux 9Red Hat Enterprise Linux 7Red Hat Enterprise Linux 6Red Hat Enterprise Linux 8Red Hat Enterprise Linux AppStream (v. 9)Red Hat Enterprise Linux 10Red Hat Enterprise Linux AppStream (v. 8)
CWE ID-CWE-416
Use After Free
CWE ID-CWE-825
Expired Pointer Dereference
CVE-2026-7261
Matching Score-4
Assigner-PHP Group
ShareView Details
Matching Score-4
Assigner-PHP Group
CVSS Score-6.3||MEDIUM
EPSS-0.30% / 21.88%
||
7 Day CHG~0.00%
Published-10 May, 2026 | 04:07
Updated-12 May, 2026 | 17:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SoapServer session-persisted object use-after-free via SOAP header fault

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when SoapServer is configured with SOAP_PERSISTENCE_SESSION, the handler object is persisted across requests via session storage. However, in the case SOAP requests results in an error, the persistance is handled incorrectly, resulting in freeing the object while keeping a pointer to it, which may lead to use-after-free. This may lead to memory corruption, information disclosure, or process crashes, with confidentiality, integrity, and availability impact on the vulnerable system.

Action-Not Available
Vendor-The PHP Group
Product-phpPHP
CWE ID-CWE-416
Use After Free
CVE-2024-38921
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.58% / 43.63%
||
7 Day CHG+0.01%
Published-06 Dec, 2024 | 00:00
Updated-17 Dec, 2024 | 20:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Open Robotics Robotic Operating System 2 (ROS2) and Nav2 humble versions were discovered to contain a use-after-free via the nav2_amcl process. This vulnerability is triggered via remotely sending a request for change the value of dynamic-parameter`/amcl z_rand ` .

Action-Not Available
Vendor-openroboticsn/a
Product-robot_operating_systemn/a
CWE ID-CWE-416
Use After Free
CVE-2025-14860
Matching Score-4
Assigner-Mozilla Corporation
ShareView Details
Matching Score-4
Assigner-Mozilla Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.27% / 17.90%
||
7 Day CHG~0.00%
Published-18 Dec, 2025 | 14:21
Updated-13 Apr, 2026 | 15:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Use-after-free in the Disability Access APIs component

Use-after-free in the Disability Access APIs component. This vulnerability was fixed in Firefox 146.0.1.

Action-Not Available
Vendor-Mozilla Corporation
Product-firefoxFirefox
CWE ID-CWE-416
Use After Free
CVE-2025-14321
Matching Score-4
Assigner-Mozilla Corporation
ShareView Details
Matching Score-4
Assigner-Mozilla Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.50% / 39.01%
||
7 Day CHG~0.00%
Published-09 Dec, 2025 | 13:37
Updated-13 Apr, 2026 | 15:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Use-after-free in the WebRTC: Signaling component

Use-after-free in the WebRTC: Signaling component. This vulnerability was fixed in Firefox 146, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6.

Action-Not Available
Vendor-Mozilla Corporation
Product-firefoxthunderbirdThunderbirdFirefox
CWE ID-CWE-416
Use After Free
CVE-2025-14326
Matching Score-4
Assigner-Mozilla Corporation
ShareView Details
Matching Score-4
Assigner-Mozilla Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.39% / 31.42%
||
7 Day CHG~0.00%
Published-09 Dec, 2025 | 13:38
Updated-13 Apr, 2026 | 15:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Use-after-free in the Audio/Video: GMP component

Use-after-free in the Audio/Video: GMP component. This vulnerability was fixed in Firefox 146 and Thunderbird 146.

Action-Not Available
Vendor-Mozilla Corporation
Product-firefoxthunderbirdThunderbirdFirefox
CWE ID-CWE-416
Use After Free
CVE-2022-40009
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.01% / 58.93%
||
7 Day CHG+0.01%
Published-20 Sep, 2022 | 19:14
Updated-28 May, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SWFTools commit 772e55a was discovered to contain a heap-use-after-free via the function grow_unicode at /lib/ttf.c.

Action-Not Available
Vendor-n/aSWFTools
Product-swftoolsn/a
CWE ID-CWE-416
Use After Free
CVE-2025-13952
Matching Score-4
Assigner-Imagination Technologies
ShareView Details
Matching Score-4
Assigner-Imagination Technologies
CVSS Score-9.8||CRITICAL
EPSS-0.42% / 33.44%
||
7 Day CHG~0.00%
Published-24 Jan, 2026 | 02:26
Updated-28 Jan, 2026 | 18:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
GPU DDK - libusc UAF via WebGPU shaders at MergeConsecutiveBarriersBP

A web page that contains unusual GPU shader code is loaded from the Internet into the GPU compiler process triggers a write use-after-free crash in the GPU shader compiler library. On certain platforms, when the compiler process has system privileges this could enable further exploits on the device. The shader code contained in the web page executes a path in the compiler that held onto an out of date pointer, pointing to a freed memory object.

Action-Not Available
Vendor-Imagination Technologies Limited
Product-ddkGraphics DDK
CWE ID-CWE-416
Use After Free
CVE-2025-12380
Matching Score-4
Assigner-Mozilla Corporation
ShareView Details
Matching Score-4
Assigner-Mozilla Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.31% / 22.53%
||
7 Day CHG~0.00%
Published-28 Oct, 2025 | 14:06
Updated-13 Apr, 2026 | 15:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Use-after-free in WebGPU internals triggered from a compromised child process

Starting with Firefox 142, it was possible for a compromised child process to trigger a use-after-free in the GPU or browser process using WebGPU-related IPC calls. This may have been usable to escape the child process sandbox. This vulnerability was fixed in Firefox 144.0.2.

Action-Not Available
Vendor-Mozilla Corporation
Product-firefoxFirefox
CWE ID-CWE-416
Use After Free
CVE-2019-16464
Matching Score-4
Assigner-Adobe Systems Incorporated
ShareView Details
Matching Score-4
Assigner-Adobe Systems Incorporated
CVSS Score-9.8||CRITICAL
EPSS-4.78% / 90.84%
||
7 Day CHG~0.00%
Published-19 Dec, 2019 | 15:01
Updated-05 Aug, 2024 | 01:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Adobe Acrobat and Reader versions , 2019.021.20056 and earlier, 2017.011.30152 and earlier, 2017.011.30155 and earlier version, 2017.011.30152 and earlier, and 2015.006.30505 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .

Action-Not Available
Vendor-Apple Inc.Microsoft CorporationAdobe Inc.
Product-acrobat_dcwindowsmacosacrobat_reader_dcAdobe Acrobat and Reader
CWE ID-CWE-416
Use After Free
CVE-2019-16452
Matching Score-4
Assigner-Adobe Systems Incorporated
ShareView Details
Matching Score-4
Assigner-Adobe Systems Incorporated
CVSS Score-9.8||CRITICAL
EPSS-6.49% / 92.93%
||
7 Day CHG~0.00%
Published-19 Dec, 2019 | 14:46
Updated-05 Aug, 2024 | 01:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Adobe Acrobat and Reader versions , 2019.021.20056 and earlier, 2017.011.30152 and earlier, 2017.011.30155 and earlier version, 2017.011.30152 and earlier, and 2015.006.30505 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .

Action-Not Available
Vendor-Apple Inc.Microsoft CorporationAdobe Inc.
Product-acrobat_dcwindowsmacosacrobat_reader_dcAdobe Acrobat and Reader
CWE ID-CWE-416
Use After Free
CVE-2025-11719
Matching Score-4
Assigner-Mozilla Corporation
ShareView Details
Matching Score-4
Assigner-Mozilla Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.32% / 24.17%
||
7 Day CHG~0.00%
Published-14 Oct, 2025 | 12:27
Updated-13 Apr, 2026 | 15:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Use-after-free caused by the native messaging web extension API on Windows

Starting in Thunderbird 143, the use of the native messaging API by web extensions on Windows could lead to crashes caused by use-after-free memory corruption. This vulnerability was fixed in Firefox 144 and Thunderbird 144.

Action-Not Available
Vendor-Microsoft CorporationMozilla Corporation
Product-firefoxthunderbirdwindowsThunderbirdFirefox
CWE ID-CWE-416
Use After Free
CVE-2020-11656
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-7.41% / 93.69%
||
7 Day CHG~0.00%
Published-09 Apr, 2020 | 02:49
Updated-04 Aug, 2024 | 11:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In SQLite through 3.31.1, the ALTER TABLE implementation has a use-after-free, as demonstrated by an ORDER BY clause that belongs to a compound SELECT statement.

Action-Not Available
Vendor-sqliten/aNetApp, Inc.Oracle CorporationTenable, Inc.Siemens AG
Product-sinec_infrastructure_network_servicescommunications_messaging_serverontap_select_deploy_administration_utilitysqlitecommunications_network_charging_and_controlzfs_storage_appliance_kitoutside_in_technologytenable.schyperion_infrastructure_technologymysql_workbenchenterprise_manager_ops_centermysqln/a
CWE ID-CWE-416
Use After Free
CVE-2025-11708
Matching Score-4
Assigner-Mozilla Corporation
ShareView Details
Matching Score-4
Assigner-Mozilla Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.46% / 36.97%
||
7 Day CHG~0.00%
Published-14 Oct, 2025 | 12:27
Updated-13 Apr, 2026 | 15:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Use-after-free in MediaTrackGraphImpl::GetInstance()

Use-after-free in MediaTrackGraphImpl::GetInstance(). This vulnerability was fixed in Firefox 144, Firefox ESR 140.4, Thunderbird 144, and Thunderbird 140.4.

Action-Not Available
Vendor-Mozilla Corporation
Product-firefoxthunderbirdThunderbirdFirefox
CWE ID-CWE-416
Use After Free
CVE-2026-25959
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.5||MEDIUM
EPSS-0.57% / 42.87%
||
7 Day CHG~0.00%
Published-25 Feb, 2026 | 20:36
Updated-27 Feb, 2026 | 14:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
FreeRDP has heap-use-after-free in xf_cliprdr_provide_data_

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_cliprdr_provide_data_` passes freed `pDstData` to `XChangeProperty` because the cliprdr channel thread calls `xf_cliprdr_server_format_data_response` which converts and uses the clipboard data without holding any lock, while the X11 event thread concurrently calls `xf_cliprdr_clear_cached_data` → `HashTable_Clear` which frees the same data via `xf_cached_data_free`, triggering a heap use after free. Version 3.23.0 fixes the issue.

Action-Not Available
Vendor-FreeRDP
Product-freerdpFreeRDP
CWE ID-CWE-416
Use After Free
CVE-2025-1009
Matching Score-4
Assigner-Mozilla Corporation
ShareView Details
Matching Score-4
Assigner-Mozilla Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.20% / 64.33%
||
7 Day CHG+0.03%
Published-04 Feb, 2025 | 13:58
Updated-13 Apr, 2026 | 15:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Use-after-free in XSLT

An attacker could have caused a use-after-free via crafted XSLT data, leading to a potentially exploitable crash. This vulnerability was fixed in Firefox 135, Firefox ESR 115.20, Firefox ESR 128.7, Thunderbird 128.7, and Thunderbird 135.

Action-Not Available
Vendor-Mozilla Corporation
Product-firefoxthunderbirdThunderbirdFirefox
CWE ID-CWE-416
Use After Free
CVE-2022-38667
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.13% / 79.74%
||
7 Day CHG~0.00%
Published-22 Aug, 2022 | 19:07
Updated-03 Aug, 2024 | 11:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

HTTP applications (servers) based on Crow through 1.0+4 may allow a Use-After-Free and code execution when HTTP pipelining is used. The HTTP parser supports HTTP pipelining, but the asynchronous Connection layer is unaware of HTTP pipelining. Specifically, the Connection layer is unaware that it has begun processing a later request before it has finished processing an earlier request.

Action-Not Available
Vendor-crowcppn/a
Product-crown/a
CWE ID-CWE-416
Use After Free
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 7
  • 8
  • Next
Details not found