CWE-416— Use After Free
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.— MITRE CWE catalog
7,398 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-416page 133 of 148
- CVE-2026-31455HIGHCVSS 7.8EG 7.82026-04-22
In the Linux kernel, the following vulnerability has been resolved: xfs: stop reclaim before pushing AIL during unmount The unmount sequence in xfs_unmount_flush_inodes() pushed the AIL while background reclaim and inodegc are still runn…
- CVE-2026-31469HIGHCVSS 7.8EG 7.82026-04-22
In the Linux kernel, the following vulnerability has been resolved: virtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false A UAF issue occurs when the virtio_net driver is configured with napi_tx=N and t…
- CVE-2026-31473HIGHCVSS 7.8EG 7.82026-04-22
In the Linux kernel, the following vulnerability has been resolved: media: mc, v4l2: serialize REINIT and REQBUFS with req_queue_mutex MEDIA_REQUEST_IOC_REINIT can run concurrently with VIDIOC_REQBUFS(0) queue teardown paths. This can ra…
- CVE-2026-31474HIGHCVSS 7.8EG 7.82026-04-22
In the Linux kernel, the following vulnerability has been resolved: can: isotp: fix tx.buf use-after-free in isotp_sendmsg() isotp_sendmsg() uses only cmpxchg() on so->tx.state to serialize access to so->tx.buf. isotp_release() waits for…
- CVE-2026-31485HIGHCVSS 7.8EG 7.82026-04-22
In the Linux kernel, the following vulnerability has been resolved: spi: spi-fsl-lpspi: fix teardown order issue (UAF) There is a teardown order issue in the driver. The SPI controller is registered using devm_spi_register_controller(), …
- CVE-2026-31488HIGHCVSS 7.8EG 7.82026-04-22
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Do not skip unrelated mode changes in DSC validation Starting with commit 17ce8a6907f7 ("drm/amd/display: Add dsc pre-validation in atomic check"), amdg…
- CVE-2026-31490HIGHCVSS 7.8EG 7.82026-04-22
In the Linux kernel, the following vulnerability has been resolved: drm/xe/pf: Fix use-after-free in migration restore When an error is returned from xe_sriov_pf_migration_restore_produce(), the data pointer is not set to NULL, which can…
- CVE-2026-31493HIGHCVSS 7.8EG 7.82026-04-22
In the Linux kernel, the following vulnerability has been resolved: RDMA/efa: Fix use of completion ctx after free On admin queue completion handling, if the admin command completed with error we print data from the completion context. T…
- CVE-2026-31500HIGHCVSS 7.8EG 7.82026-04-22
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btintel: serialize btintel_hw_error() with hci_req_sync_lock btintel_hw_error() issues two __hci_cmd_sync() calls (HCI_OP_RESET and Intel exception-info retri…
- CVE-2026-31501CRITICALCVSS 9.8EG 9.82026-04-22
In the Linux kernel, the following vulnerability has been resolved: net: ti: icssg-prueth: fix use-after-free of CPPI descriptor in RX path cppi5_hdesc_get_psdata() returns a pointer into the CPPI descriptor. In both emac_rx_packet() and…
- CVE-2026-31504HIGHCVSS 7.8EG 7.82026-04-22
In the Linux kernel, the following vulnerability has been resolved: net: fix fanout UAF in packet_release() via NETDEV_UP race `packet_release()` has a race window where `NETDEV_UP` can re-register a socket into a fanout group's `arr[]` …
- CVE-2026-31511HIGHCVSS 7.8EG 7.82026-04-22
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix dangling pointer on mgmt_add_adv_patterns_monitor_complete This fixes the condition checking so mgmt_pending_valid is executed whenever status != -E…
- CVE-2026-31527HIGHCVSS 7.8EG 7.82026-04-22
In the Linux kernel, the following vulnerability has been resolved: driver core: platform: use generic driver_override infrastructure When a driver is probed through __driver_attach(), the bus' match() callback is called without the devi…
- CVE-2026-31530HIGHCVSS 7.8EG 7.82026-04-22
In the Linux kernel, the following vulnerability has been resolved: cxl/port: Fix use after free of parent_port in cxl_detach_ep() cxl_detach_ep() is called during bottom-up removal when all CXL memory devices beneath a switch port have …
- CVE-2026-31532HIGHCVSS 7.8EG 7.82026-04-23
In the Linux kernel, the following vulnerability has been resolved: can: raw: fix ro->uniq use-after-free in raw_rcv() raw_release() unregisters raw CAN receive filters via can_rx_unregister(), but receiver deletion is deferred with call…
- CVE-2026-31533CRITICALCVSS 9.8EG 9.82026-04-23
In the Linux kernel, the following vulnerability has been resolved: net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption The -EBUSY handling in tls_do_encryption(), introduced by commit 859054147318 ("net: tls: handle ba…
- CVE-2026-31541HIGHCVSS 7.8EG 7.82026-04-24
In the Linux kernel, the following vulnerability has been resolved: tracing: Fix trace_marker copy link list updates When the "copy_trace_marker" option is enabled for an instance, anything written into /sys/kernel/tracing/trace_marker i…
- CVE-2026-31554HIGHCVSS 7.8EG 7.82026-04-24
In the Linux kernel, the following vulnerability has been resolved: futex: Require sys_futex_requeue() to have identical flags Nicholas reported that his LLM found it was possible to create a UaF when sys_futex_requeue() is used with dif…
- CVE-2026-31566HIGHCVSS 7.8EG 7.82026-04-24
In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix fence put before wait in amdgpu_amdkfd_submit_ib amdgpu_amdkfd_submit_ib() submits a GPU job and gets a fence from amdgpu_ib_schedule(). This fence is us…
- CVE-2026-31576CVSS 0.0EG 7.82026-04-24
In the Linux kernel, the following vulnerability has been resolved: media: hackrf: fix to not free memory after the device is registered in hackrf_probe() In hackrf driver, the following race condition occurs: ``` CPU0 CPU1 hackrf…
- CVE-2026-31578CVSS 0.0EG 7.82026-04-24
In the Linux kernel, the following vulnerability has been resolved: media: as102: fix to not free memory after the device is registered in as102_usb_probe() In as102_usb driver, the following race condition occurs: ``` CPU0 CPU1 a…
- CVE-2026-31580CVSS 0.0EG 7.82026-04-24
In the Linux kernel, the following vulnerability has been resolved: bcache: fix cached_dev.sb_bio use-after-free and crash In our production environment, we have received multiple crash reports regarding libceph, which have caught our at…
- CVE-2026-31581CVSS 0.0EG 7.82026-04-24
In the Linux kernel, the following vulnerability has been resolved: ALSA: 6fire: fix use-after-free on disconnect In usb6fire_chip_abort(), the chip struct is allocated as the card's private data (via snd_card_new with sizeof(struct sfir…
- CVE-2026-31582CVSS 0.0EG 7.82026-04-24
In the Linux kernel, the following vulnerability has been resolved: hwmon: (powerz) Fix use-after-free on USB disconnect After powerz_disconnect() frees the URB and releases the mutex, a subsequent powerz_read() call can acquire the mute…
- CVE-2026-31583CVSS 0.0EG 7.82026-04-24
In the Linux kernel, the following vulnerability has been resolved: media: em28xx: fix use-after-free in em28xx_v4l2_open() em28xx_v4l2_open() reads dev->v4l2 without holding dev->lock, creating a race with em28xx_v4l2_init()'s error pat…
- CVE-2026-31584HIGHCVSS 7.8EG 7.82026-04-24
In the Linux kernel, the following vulnerability has been resolved: media: mediatek: vcodec: fix use-after-free in encoder release path The fops_vcodec_release() function frees the context structure (ctx) without first cancelling any pen…
- CVE-2026-31586HIGHCVSS 7.8EG 7.82026-04-24
In the Linux kernel, the following vulnerability has been resolved: mm: blk-cgroup: fix use-after-free in cgwb_release_workfn() cgwb_release_workfn() calls css_put(wb->blkcg_css) and then later accesses wb->blkcg_css again via blkcg_unpi…
- CVE-2026-31587HIGHCVSS 7.8EG 7.82026-04-24
In the Linux kernel, the following vulnerability has been resolved: ASoC: qcom: q6apm: move component registration to unmanaged version q6apm component registers dais dynamically from ASoC toplology, which are allocated using device mana…
- CVE-2026-31588HIGHCVSS 8.8EG 8.82026-04-24
In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Use scratch field in MMIO fragment to hold small write values When exiting to userspace to service an emulated MMIO write, copy the to-be-written value to a sc…
- CVE-2026-31589CRITICALCVSS 9.8EG 9.82026-04-24
In the Linux kernel, the following vulnerability has been resolved: mm: call ->free_folio() directly in folio_unmap_invalidate() We can only call filemap_free_folio() if we have a reference to (or hold a lock on) the mapping. Otherwise,…
- CVE-2026-31597HIGHCVSS 7.8EG 7.82026-04-24
In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY filemap_fault() may drop the mmap_lock before returning VM_FAULT_RETRY, as documented in mm/filemap.c: …
- CVE-2026-31644HIGHCVSS 7.8EG 7.82026-04-24
In the Linux kernel, the following vulnerability has been resolved: net: lan966x: fix use-after-free and leak in lan966x_fdma_reload() When lan966x_fdma_reload() fails to allocate new RX buffers, the restore path restarts DMA using old d…
- CVE-2026-31650HIGHCVSS 7.8EG 7.82026-04-24
In the Linux kernel, the following vulnerability has been resolved: mmc: vub300: fix use-after-free on disconnect The vub300 driver maintains an explicit reference count for the controller and its driver data and the last reference can i…
- CVE-2026-31652HIGHCVSS 7.8EG 7.82026-04-24
In the Linux kernel, the following vulnerability has been resolved: mm/damon/stat: deallocate damon_call() failure leaking damon_ctx damon_stat_start() always allocates the module's damon_ctx object (damon_stat_context). Meanwhile, if d…
- CVE-2026-31665HIGHCVSS 7.8EG 7.82026-04-24
In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_ct: fix use-after-free in timeout object destroy nft_ct_timeout_obj_destroy() frees the timeout object with kfree() immediately after nf_ct_untimeout(), w…
- CVE-2026-31669CRITICALCVSS 9.8EG 9.82026-04-24
In the Linux kernel, the following vulnerability has been resolved: mptcp: fix slab-use-after-free in __inet_lookup_established The ehash table lookups are lockless and rely on SLAB_TYPESAFE_BY_RCU to guarantee socket memory stability du…
- CVE-2026-31695HIGHCVSS 7.8EG 7.82026-05-01
In the Linux kernel, the following vulnerability has been resolved: wifi: virt_wifi: remove SET_NETDEV_DEV to avoid use-after-free Currently we execute `SET_NETDEV_DEV(dev, &priv->lowerdev->dev)` for the virt_wifi net devices. However, u…
- CVE-2026-31702CVSS 0.0EG 7.82026-05-01
In the Linux kernel, the following vulnerability has been resolved: f2fs: fix use-after-free of sbi in f2fs_compress_write_end_io() In f2fs_compress_write_end_io(), dec_page_count(sbi, type) can bring the F2FS_WB_CP_DATA counter to zero,…
- CVE-2026-31703HIGHCVSS 7.8EG 7.82026-05-01
In the Linux kernel, the following vulnerability has been resolved: writeback: Fix use after free in inode_switch_wbs_work_fn() inode_switch_wbs_work_fn() has a loop like: wb_get(new_wb); while (1) { list = llist_del_all(&new_wb…
- CVE-2026-31715HIGHCVSS 7.8EG 7.82026-05-01
In the Linux kernel, the following vulnerability has been resolved: f2fs: fix UAF caused by decrementing sbi->nr_pages[] in f2fs_write_end_io() The xfstests case "generic/107" and syzbot have both reported a NULL pointer dereference. Th…
- CVE-2026-31718CRITICALCVSS 9.8EG 9.82026-05-01
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger When a durable file handle survives session disconnect (TCP close without SMB2_LOGOFF), session_fd_…
- CVE-2026-31731HIGHCVSS 7.8EG 7.82026-05-01
In the Linux kernel, the following vulnerability has been resolved: thermal: core: Address thermal zone removal races with resume Since thermal_zone_pm_complete() and thermal_zone_device_resume() re-initialize the poll_queue delayed work…
- CVE-2026-31758HIGHCVSS 7.8EG 7.82026-05-01
In the Linux kernel, the following vulnerability has been resolved: usb: usbtmc: Flush anchored URBs in usbtmc_release When calling usbtmc_release, pending anchored URBs must be flushed or killed to prevent use-after-free errors (e.g. in…
- CVE-2026-31769HIGHCVSS 7.8EG 7.82026-05-01
In the Linux kernel, the following vulnerability has been resolved: gpib: fix use-after-free in IO ioctl handlers The IBRD, IBWRT, IBCMD, and IBWAIT ioctl handlers use a gpib_descriptor pointer after board->big_gpib_mutex has been releas…
- CVE-2026-32070HIGHCVSS 7.0EG 7.02026-04-14
Use after free in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally.
- CVE-2026-32073HIGHCVSS 7.0EG 7.02026-04-14
Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
- CVE-2026-32075HIGHCVSS 7.0EG 7.02026-04-14
Use after free in Windows Universal Plug and Play (UPnP) Device Host allows an authorized attacker to elevate privileges locally.
- CVE-2026-32078HIGHCVSS 7.8EG 7.82026-04-14
Use after free in Windows Projected File System allows an authorized attacker to elevate privileges locally.
- CVE-2026-32080HIGHCVSS 7.0EG 7.02026-04-14
Use after free in Windows WalletService allows an authorized attacker to elevate privileges locally.
- CVE-2026-32089HIGHCVSS 7.8EG 7.82026-04-14
Use after free in Windows Speech Brokered Api allows an authorized attacker to elevate privileges locally.
Map vulnerabilities like CWE-416 to your infrastructure
EchelonGraph correlates every CVE — across CWE-416 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →