CWE-416— Use After Free
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.— MITRE CWE catalog
7,398 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-416page 136 of 148
- CVE-2026-42909HIGHCVSS 7.5EG 7.52026-06-09
Concurrent execution using shared resource with improper synchronization ('race condition') in Remote Desktop Client allows an unauthorized attacker to execute code over a network.
- CVE-2026-42911HIGHCVSS 7.0EG 7.02026-06-09
Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
- CVE-2026-42913HIGHCVSS 7.5EG 7.52026-06-09
Concurrent execution using shared resource with improper synchronization ('race condition') in Remote Desktop Client allows an unauthorized attacker to execute code over a network.
- CVE-2026-42958HIGHCVSS 7.8EG 7.82026-07-07
The application contains a use-after-free vulnerability that can be exploited to cause memory corruption while parsing specially crafted files. This could allow an attacker to execute arbitrary code in the context of the current process.
- CVE-2026-42978HIGHCVSS 7.8EG 7.82026-06-09
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Push Notifications allows an authorized attacker to elevate privileges locally.
- CVE-2026-42979HIGHCVSS 7.8EG 7.82026-06-09
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Push Notifications allows an authorized attacker to elevate privileges locally.
- CVE-2026-42983HIGHCVSS 7.8EG 7.82026-06-09
Use after free in Windows DWM Core Library allows an authorized attacker to elevate privileges locally.
- CVE-2026-42984HIGHCVSS 7.0EG 7.02026-06-09
Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally.
- CVE-2026-42985HIGHCVSS 8.8EG 8.82026-06-09
Use after free in Remote Desktop Client allows an unauthorized attacker to execute code over a network.
- CVE-2026-42986HIGHCVSS 7.8EG 7.82026-06-09
Use after free in Microsoft Graphics Component allows an authorized attacker to elevate privileges locally.
- CVE-2026-42987HIGHCVSS 8.1EG 8.12026-06-09
Use after free in Windows Deployment Services allows an unauthorized attacker to execute code over a network.
- CVE-2026-42991HIGHCVSS 7.8EG 7.82026-06-09
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Push Notifications allows an authorized attacker to elevate privileges locally.
- CVE-2026-43015HIGHCVSS 7.8EG 7.82026-05-01
In the Linux kernel, the following vulnerability has been resolved: net: macb: fix clk handling on PCI glue driver removal platform_device_unregister() may still want to use the registered clks during runtime resume callback. Note that …
- CVE-2026-43016HIGHCVSS 7.8EG 7.82026-05-01
In the Linux kernel, the following vulnerability has been resolved: bpf: sockmap: Fix use-after-free of sk->sk_socket in sk_psock_verdict_data_ready(). syzbot reported use-after-free of AF_UNIX socket's sk->sk_socket in sk_psock_verdict_…
- CVE-2026-43018HIGHCVSS 8.8EG 8.82026-05-01
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: fix potential UAF in hci_le_remote_conn_param_req_evt hci_conn lookup and field access must be covered by hdev lock in hci_le_remote_conn_param_req…
- CVE-2026-43019HIGHCVSS 7.8EG 7.82026-05-01
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_conn: fix potential UAF in set_cig_params_sync hci_conn lookup and field access must be covered by hdev lock in set_cig_params_sync, otherwise it's possib…
- CVE-2026-43027HIGHCVSS 7.8EG 7.82026-05-01
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_helper: pass helper to expect cleanup nf_conntrack_helper_unregister() calls nf_ct_expect_iterate_destroy() to remove expectations belonging to t…
- CVE-2026-43049HIGHCVSS 7.8EG 7.82026-05-01
In the Linux kernel, the following vulnerability has been resolved: HID: logitech-hidpp: Prevent use-after-free on force feedback initialisation failure Presently, if the force feedback initialisation fails when probing the Logitech G920…
- CVE-2026-43050HIGHCVSS 7.0EG 7.02026-05-01
In the Linux kernel, the following vulnerability has been resolved: atm: lec: fix use-after-free in sock_def_readable() A race condition exists between lec_atm_close() setting priv->lecd to NULL and concurrent access to priv->lecd in sen…
- CVE-2026-43056HIGHCVSS 7.8EG 7.82026-05-01
In the Linux kernel, the following vulnerability has been resolved: net: mana: fix use-after-free in add_adev() error path If auxiliary_device_add() fails, add_adev() jumps to add_fail and calls auxiliary_device_uninit(adev). The auxili…
- CVE-2026-43059HIGHCVSS 7.8EG 7.82026-05-05
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix list corruption and UAF in command complete handlers Commit 302a1f674c00 ("Bluetooth: MGMT: Fix possible UAFs") introduced mgmt_pending_valid(), whi…
- CVE-2026-43076HIGHCVSS 7.8EG 7.82026-05-06
In the Linux kernel, the following vulnerability has been resolved: ocfs2: validate inline data i_size during inode read When reading an inode from disk, ocfs2_validate_inode_block() performs various sanity checks but does not validate t…
- CVE-2026-43084HIGHCVSS 7.8EG 7.82026-05-06
In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_queue: make hash table per queue Sharing a global hash table among all queues is tempting, but it can cause crash: BUG: KASAN: slab-use-after-free …
- CVE-2026-43111HIGHCVSS 7.8EG 7.82026-05-06
In the Linux kernel, the following vulnerability has been resolved: HID: roccat: fix use-after-free in roccat_report_event roccat_report_event() iterates over the device->readers list without holding the readers_lock. This allows a concu…
- CVE-2026-43138HIGHCVSS 7.8EG 7.82026-05-06
In the Linux kernel, the following vulnerability has been resolved: reset: gpio: suppress bind attributes in sysfs This is a special device that's created dynamically and is supposed to stay in memory forever. We also currently don't hav…
- CVE-2026-43203HIGHCVSS 7.5EG 7.52026-05-06
In the Linux kernel, the following vulnerability has been resolved: atm: fore200e: fix use-after-free in tasklets during device removal When the PCA-200E or SBA-200E adapter is being detached, the fore200e is deallocated. However, the tx…
- CVE-2026-43232HIGHCVSS 8.8EG 8.82026-05-06
In the Linux kernel, the following vulnerability has been resolved: net: wan: farsync: Fix use-after-free bugs caused by unfinished tasklets When the FarSync T-series card is being detached, the fst_card_info is deallocated in fst_remove…
- CVE-2026-43236HIGHCVSS 7.8EG 7.82026-05-06
In the Linux kernel, the following vulnerability has been resolved: drm/atmel-hlcdc: fix use-after-free of drm_crtc_commit after release The atmel_hlcdc_plane_atomic_duplicate_state() callback was copying the atmel_hlcdc_plane state stru…
- CVE-2026-43237HIGHCVSS 7.8EG 7.82026-05-06
In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Refactor amdgpu_gem_va_ioctl for Handling Last Fence Update and Timeline Management v4 This commit simplifies the amdgpu_gem_va_ioctl function, key updates i…
- CVE-2026-43303HIGHCVSS 7.8EG 7.82026-05-08
In the Linux kernel, the following vulnerability has been resolved: mm/page_alloc: clear page->private in free_pages_prepare() Several subsystems (slub, shmem, ttm, etc.) use page->private but don't clear it before freeing pages. When t…
- CVE-2026-43322HIGHCVSS 8.8EG 8.82026-05-08
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: Fix UAF in le_read_features_complete This fixes the following backtrace caused by hci_conn being freed before le_read_features_complete but after hc…
- CVE-2026-43339HIGHCVSS 7.8EG 7.82026-05-08
In the Linux kernel, the following vulnerability has been resolved: ipv6: prevent possible UaF in addrconf_permanent_addr() The mentioned helper try to warn the user about an exceptional condition, but the message is delivered too late, …
- CVE-2026-43370HIGHCVSS 7.8EG 7.82026-05-08
In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix use-after-free race in VM acquire Replace non-atomic vm->process_info assignment with cmpxchg() to prevent race when parent/child processes sharing a drm…
- CVE-2026-43374HIGHCVSS 7.8EG 7.82026-05-08
In the Linux kernel, the following vulnerability has been resolved: net: nexthop: fix percpu use-after-free in remove_nh_grp_entry When removing a nexthop from a group, remove_nh_grp_entry() publishes the new group via rcu_assign_pointer…
- CVE-2026-43376CRITICALCVSS 9.8EG 9.82026-05-08
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free by using call_rcu() for oplock_info ksmbd currently frees oplock_info immediately using kfree(), even though it is accessed under RCU read-side…
- CVE-2026-43378CRITICALCVSS 9.8EG 7.82026-05-08
In the Linux kernel, the following vulnerability has been resolved: smb: server: fix use-after-free in smb2_open() The opinfo pointer obtained via rcu_dereference(fp->f_opinfo) is dereferenced after rcu_read_unlock(), creating a use-afte…
- CVE-2026-43379CRITICALCVSS 9.8EG 9.82026-05-08
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in smb_lazy_parent_lease_break_close() opinfo pointer obtained via rcu_dereference(fp->f_opinfo) is being accessed after rcu_read_unlock() has …
- CVE-2026-43388HIGHCVSS 7.8EG 7.82026-05-08
In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: clear walk_control on inactive context in damos_walk() damos_walk() sets ctx->walk_control to the caller-provided control structure before checking whethe…
- CVE-2026-43402CRITICALCVSS 9.8EG 9.82026-05-08
In the Linux kernel, the following vulnerability has been resolved: kthread: consolidate kthread exit paths to prevent use-after-free Guillaume reported crashes via corrupted RCU callback function pointers during KUnit testing. The crash…
- CVE-2026-43426HIGHCVSS 7.8EG 7.82026-05-08
In the Linux kernel, the following vulnerability has been resolved: usb: renesas_usbhs: fix use-after-free in ISR during device removal In usbhs_remove(), the driver frees resources (including the pipe array) while the interrupt handler …
- CVE-2026-43437HIGHCVSS 7.8EG 7.82026-05-08
In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain() In the drain loop, the local variable 'runtime' is reassigned to a linked stream's runtime (run…
- CVE-2026-43438HIGHCVSS 7.8EG 7.82026-05-08
In the Linux kernel, the following vulnerability has been resolved: sched_ext: Remove redundant css_put() in scx_cgroup_init() The iterator css_for_each_descendant_pre() walks the cgroup hierarchy under cgroup_lock(). It does not increme…
- CVE-2026-43440HIGHCVSS 7.8EG 7.82026-05-08
In the Linux kernel, the following vulnerability has been resolved: net/mana: Null service_wq on setup error to prevent double destroy In mana_gd_setup() error path, set gc->service_wq to NULL after destroy_workqueue() to match the clean…
- CVE-2026-43447HIGHCVSS 7.8EG 7.82026-05-08
In the Linux kernel, the following vulnerability has been resolved: iavf: fix PTP use-after-free during reset Commit 7c01dbfc8a1c5f ("iavf: periodically cache PHC time") introduced a worker to cache PHC time, but failed to stop it during…
- CVE-2026-43458HIGHCVSS 7.8EG 7.82026-05-08
In the Linux kernel, the following vulnerability has been resolved: serial: caif: hold tty->link reference in ldisc_open and ser_release A reproducer triggers a KASAN slab-use-after-free in pty_write_room() when caif_serial's TX path cal…
- CVE-2026-43459HIGHCVSS 7.3EG 7.32026-05-08
In the Linux kernel, the following vulnerability has been resolved: ASoC: soc-core: flush delayed work before removing DAIs and widgets When a sound card is unbound while a PCM stream is open, a use-after-free can occur in snd_soc_dapm_s…
- CVE-2026-43497HIGHCVSS 7.3EG 7.32026-05-21
In the Linux kernel, the following vulnerability has been resolved: fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free dlfb_ops_mmap() uses remap_pfn_range() to map vmalloc framebuffer pages to userspace but sets no vm_o…
- CVE-2026-43499HIGHCVSS 7.8EG 7.82026-05-21
In the Linux kernel, the following vulnerability has been resolved: rtmutex: Use waiter::task instead of current in remove_waiter() remove_waiter() is used by the slowlock paths, but it is also used for proxy-lock rollback in rt_mutex_st…
- CVE-2026-43663MEDIUMCVSS 6.5EG 6.52026-06-29
The issue was addressed with improved memory handling. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Processing maliciously crafted web content may lead to an unexpected process crash.
- CVE-2026-43668HIGHCVSS 7.5EG 7.52026-05-11
A use after free issue was addressed with improved memory management. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, wat…
Map vulnerabilities like CWE-416 to your infrastructure
EchelonGraph correlates every CVE — across CWE-416 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →