Search Results (9044 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-26107 1 Microsoft 11 365 Apps, Excel, Excel 2016 and 8 more 2026-04-14 7.8 High
Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
CVE-2026-26132 1 Microsoft 19 Windows 10 21h2, Windows 10 21h2, Windows 10 22h2 and 16 more 2026-04-14 7.8 High
Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally.
CVE-2026-25189 1 Microsoft 8 Windows 10 1809, Windows 10 21h2, Windows 10 21h2 and 5 more 2026-04-14 7.8 High
Use after free in Windows DWM Core Library allows an authorized attacker to elevate privileges locally.
CVE-2026-25171 1 Microsoft 30 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 27 more 2026-04-14 7 High
Use after free in Windows Authentication Methods allows an authorized attacker to elevate privileges locally.
CVE-2026-25167 1 Microsoft 8 Windows 11 24h2, Windows 11 24h2, Windows 11 25h2 and 5 more 2026-04-14 7.4 High
Use after free in Microsoft Brokering File System allows an unauthorized attacker to elevate privileges locally.
CVE-2026-24292 1 Microsoft 22 Windows 10 1809, Windows 10 21h2, Windows 10 21h2 and 19 more 2026-04-14 7.8 High
Use after free in Connected Devices Platform Service (Cdpsvc) allows an authorized attacker to elevate privileges locally.
CVE-2026-24289 1 Microsoft 30 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 27 more 2026-04-14 7.8 High
Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally.
CVE-2026-23671 1 Microsoft 25 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 22 more 2026-04-14 7 High
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Bluetooth RFCOM Protocol Driver allows an authorized attacker to elevate privileges locally.
CVE-2026-23667 1 Microsoft 14 Windows 10 1809, Windows 10 21h2, Windows 10 21h2 and 11 more 2026-04-14 7 High
Use after free in Broadcast DVR allows an authorized attacker to elevate privileges locally.
CVE-2020-9715 3 Adobe, Apple, Microsoft 4 Acrobat Dc, Acrobat Reader Dc, Macos and 1 more 2026-04-14 7.8 High
Adobe Acrobat and Reader versions 2020.009.20074 and earlier, 2020.001.30002, 2017.011.30171 and earlier, and 2015.006.30523 and earlier have an use-after-free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2026-4148 1 Mongodb 2 Mongodb, Mongodb Server 2026-04-13 8.8 High
A use-after-free vulnerability can be triggered in sharded clusters by an authenticated user with the read role who issues a specially crafted $lookup or $graphLookup aggregation pipeline.
CVE-2024-46683 1 Linux 1 Linux Kernel 2026-04-09 7.8 High
In the Linux kernel, the following vulnerability has been resolved: drm/xe: prevent UAF around preempt fence The fence lock is part of the queue, therefore in the current design anything locking the fence should then also hold a ref to the queue to prevent the queue from being freed. However, currently it looks like we signal the fence and then drop the queue ref, but if something is waiting on the fence, the waiter is kicked to wake up at some later point, where upon waking up it first grabs the lock before checking the fence state. But if we have already dropped the queue ref, then the lock might already be freed as part of the queue, leading to uaf. To prevent this, move the fence lock into the fence itself so we don't run into lifetime issues. Alternative might be to have device level lock, or only release the queue in the fence release callback, however that might require pushing to another worker to avoid locking issues. References: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/2454 References: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/2342 References: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/2020 (cherry picked from commit 7116c35aacedc38be6d15bd21b2fc936eed0008b)
CVE-2024-44986 2 Debian, Linux 2 Debian Linux, Linux Kernel 2026-04-09 7.8 High
In the Linux kernel, the following vulnerability has been resolved: ipv6: fix possible UAF in ip6_finish_output2() If skb_expand_head() returns NULL, skb has been freed and associated dst/idev could also have been freed. We need to hold rcu_read_lock() to make sure the dst and associated idev are alive.
CVE-2024-44974 2 Debian, Linux 2 Debian Linux, Linux Kernel 2026-04-09 7.8 High
In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: avoid possible UaF when selecting endp select_local_address() and select_signal_address() both select an endpoint entry from the list inside an RCU protected section, but return a reference to it, to be read later on. If the entry is dereferenced after the RCU unlock, reading info could cause a Use-after-Free. A simple solution is to copy the required info while inside the RCU protected section to avoid any risk of UaF later. The address ID might need to be modified later to handle the ID0 case later, so a copy seems OK to deal with.
CVE-2025-47374 1 Qualcomm 61 Fastconnect 6900, Fastconnect 6900 Firmware, Fastconnect 7800 and 58 more 2026-04-09 6.5 Medium
Memory Corruption when accessing freed memory due to concurrent fence deregistration and signal handling.
CVE-2026-21380 1 Qualcomm 47 Cologne, Cologne Firmware, Fastconnect 6900 and 44 more 2026-04-09 7.8 High
Memory Corruption when using deprecated DMABUF IOCTL calls to manage video memory.
CVE-2026-34510 1 Openclaw 1 Openclaw 2026-04-07 5.3 Medium
OpenClaw before 2026.3.22 contains a path traversal vulnerability in Windows media loaders that accepts remote-host file URLs and UNC-style paths before local-path validation. Attackers can exploit this by providing network-hosted file targets that are treated as local content, bypassing intended access restrictions.
CVE-2025-22040 2 Debian, Linux 2 Debian Linux, Linux Kernel 2026-04-06 8.8 High
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix session use-after-free in multichannel connection There is a race condition between session setup and ksmbd_sessions_deregister. The session can be freed before the connection is added to channel list of session. This patch check reference count of session before freeing it.
CVE-2023-53510 1 Linux 1 Linux Kernel 2026-04-06 7.8 High
In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Fix handling of lrbp->cmd ufshcd_queuecommand() may be called two times in a row for a SCSI command before it is completed. Hence make the following changes: - In the functions that submit a command, do not check the old value of lrbp->cmd nor clear lrbp->cmd in error paths. - In ufshcd_release_scsi_cmd(), do not clear lrbp->cmd. See also scsi_send_eh_cmnd(). This commit prevents that the following appears if a command times out: WARNING: at drivers/ufs/core/ufshcd.c:2965 ufshcd_queuecommand+0x6f8/0x9a8 Call trace: ufshcd_queuecommand+0x6f8/0x9a8 scsi_send_eh_cmnd+0x2c0/0x960 scsi_eh_test_devices+0x100/0x314 scsi_eh_ready_devs+0xd90/0x114c scsi_error_handler+0x2b4/0xb70 kthread+0x16c/0x1e0
CVE-2025-22083 1 Linux 1 Linux Kernel 2026-04-06 7.8 High
In the Linux kernel, the following vulnerability has been resolved: vhost-scsi: Fix handling of multiple calls to vhost_scsi_set_endpoint If vhost_scsi_set_endpoint is called multiple times without a vhost_scsi_clear_endpoint between them, we can hit multiple bugs found by Haoran Zhang: 1. Use-after-free when no tpgs are found: This fixes a use after free that occurs when vhost_scsi_set_endpoint is called more than once and calls after the first call do not find any tpgs to add to the vs_tpg. When vhost_scsi_set_endpoint first finds tpgs to add to the vs_tpg array match=true, so we will do: vhost_vq_set_backend(vq, vs_tpg); ... kfree(vs->vs_tpg); vs->vs_tpg = vs_tpg; If vhost_scsi_set_endpoint is called again and no tpgs are found match=false so we skip the vhost_vq_set_backend call leaving the pointer to the vs_tpg we then free via: kfree(vs->vs_tpg); vs->vs_tpg = vs_tpg; If a scsi request is then sent we do: vhost_scsi_handle_vq -> vhost_scsi_get_req -> vhost_vq_get_backend which sees the vs_tpg we just did a kfree on. 2. Tpg dir removal hang: This patch fixes an issue where we cannot remove a LIO/target layer tpg (and structs above it like the target) dir due to the refcount dropping to -1. The problem is that if vhost_scsi_set_endpoint detects a tpg is already in the vs->vs_tpg array or if the tpg has been removed so target_depend_item fails, the undepend goto handler will do target_undepend_item on all tpgs in the vs_tpg array dropping their refcount to 0. At this time vs_tpg contains both the tpgs we have added in the current vhost_scsi_set_endpoint call as well as tpgs we added in previous calls which are also in vs->vs_tpg. Later, when vhost_scsi_clear_endpoint runs it will do target_undepend_item on all the tpgs in the vs->vs_tpg which will drop their refcount to -1. Userspace will then not be able to remove the tpg and will hang when it tries to do rmdir on the tpg dir. 3. Tpg leak: This fixes a bug where we can leak tpgs and cause them to be un-removable because the target name is overwritten when vhost_scsi_set_endpoint is called multiple times but with different target names. The bug occurs if a user has called VHOST_SCSI_SET_ENDPOINT and setup a vhost-scsi device to target/tpg mapping, then calls VHOST_SCSI_SET_ENDPOINT again with a new target name that has tpgs we haven't seen before (target1 has tpg1 but target2 has tpg2). When this happens we don't teardown the old target tpg mapping and just overwrite the target name and the vs->vs_tpg array. Later when we do vhost_scsi_clear_endpoint, we are passed in either target1 or target2's name and we will only match that target's tpgs when we loop over the vs->vs_tpg. We will then return from the function without doing target_undepend_item on the tpgs. Because of all these bugs, it looks like being able to call vhost_scsi_set_endpoint multiple times was never supported. The major user, QEMU, already has checks to prevent this use case. So to fix the issues, this patch prevents vhost_scsi_set_endpoint from being called if it's already successfully added tpgs. To add, remove or change the tpg config or target name, you must do a vhost_scsi_clear_endpoint first.