CWE-825— Expired Pointer Dereference
The product dereferences a pointer that contains a location for memory that was previously valid, but is no longer valid.— MITRE CWE catalog
84 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-825page 2 of 2
- CVE-2026-46125HIGHCVSS 8.8EG 8.82026-05-28
In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: remove station if connection prep fails If connection preparation fails for MLO connections, then the interface is completely reset to non-MLD. In this c…
- CVE-2026-46166HIGHCVSS 8.8EG 8.82026-05-28
In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: use safe list iteration in radar detect work The call to ieee80211_dfs_cac_cancel can cause the iterated chanctx to be freed and removed from the list. G…
- CVE-2026-46176HIGHCVSS 7.8EG 7.82026-05-28
In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init() mlx5_ib_dev_res_srq_init() allocates two SRQs, s0 and s1. When ib_create_srq() fails for s1, the err…
- CVE-2026-46243HIGHCVSS 7.8EG 7.82026-06-01
In the Linux kernel, the following vulnerability has been resolved: smb: client: reject userspace cifs.spnego descriptions cifs.spnego key descriptions contain authority-bearing fields such as pid, uid, creduid, and upcall_target that ci…
- CVE-2026-46523MEDIUMCVSS 6.2EG 6.22026-05-18
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2.23 and 6.9.13-48, a crafted MSL image can trigger a heap-use-after-free. Versions 7.1.2.23 and 6.9.13-48 fix the issue.
- CVE-2026-4688CRITICALCVSS 10.0EG 10.02026-03-24
Sandbox escape due to use-after-free in the Disability Access APIs component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
- CVE-2026-4691CRITICALCVSS 9.8EG 9.82026-03-24
Use-after-free in the CSS Parsing and Computation component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
- CVE-2026-4696CRITICALCVSS 9.8EG 9.82026-03-24
Use-after-free in the Layout: Text and Fonts component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
- CVE-2026-4721CRITICALCVSS 9.8EG 9.82026-03-24
Memory safety bugs present in Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could…
- CVE-2026-4729CRITICALCVSS 9.8EG 9.82026-03-24
Memory safety bugs present in Firefox 148 and Thunderbird 148. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability…
- CVE-2026-5165MEDIUMCVSS 6.7EG 6.72026-03-30
A flaw was found in virtio-win, specifically within the VirtIO Block (BLK) device. When the device undergoes a reset, it fails to properly manage memory, resulting in a use-after-free vulnerability. This issue could allow a local attacker …
- CVE-2026-52923HIGHCVSS 7.8EG 7.82026-06-24
In the Linux kernel, the following vulnerability has been resolved: ipc: limit next_id allocation to the valid ID range The checkpoint/restore sysctl path can request the next SysV IPC id through ids->next_id. ipc_idr_alloc() currently …
- CVE-2026-52924CRITICALCVSS 9.8EG 9.82026-06-24
In the Linux kernel, the following vulnerability has been resolved: sctp: purge outqueue on stale COOKIE-ECHO handling sctp_stream_update() is only invoked when the association is moved into COOKIE_WAIT during association setup/reconfigu…
- CVE-2026-52950HIGHCVSS 7.8EG 7.82026-06-24
In the Linux kernel, the following vulnerability has been resolved: drm/xe/dma-buf: fix UAF with retry loop Retry doesn't work here, since bo will be freed on error, leading to UAF. However, now that we do the alloc & init before the att…
- CVE-2026-52952HIGHCVSS 8.8EG 8.82026-06-24
In the Linux kernel, the following vulnerability has been resolved: iommu: Fix WARN_ON in __iommu_group_set_domain_nofail() due to reset In __iommu_group_set_domain_internal(), concurrent domain attachments are rejected when any device i…
- CVE-2026-52973HIGHCVSS 7.8EG 7.82026-06-24
In the Linux kernel, the following vulnerability has been resolved: futex: Drop CLONE_THREAD requirement for private default hash alloc Currently need_futex_hash_allocate_default() depends on strict pthread semantics, abusing CLONE_THREA…
- CVE-2026-52976HIGHCVSS 7.8EG 7.82026-06-24
In the Linux kernel, the following vulnerability has been resolved: drm/xe: Fix error cleanup in xe_exec_queue_create_ioctl() Two error handling issues exist in xe_exec_queue_create_ioctl(): 1. When xe_hw_engine_group_add_exec_queue() f…
- CVE-2026-53006CRITICALCVSS 9.8EG 9.82026-06-24
In the Linux kernel, the following vulnerability has been resolved: ipv6: fix possible UAF in icmpv6_rcv() Caching saddr and daddr before pskb_pull() is problematic since skb->head can change. Remove these temporary variables: - We onl…
- CVE-2026-53033HIGHCVSS 7.8EG 7.82026-06-24
In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Take state lock for af_unix iter When a BPF iterator program updates a sockmap, there is a race condition in unix_stream_bpf_update_proto() where the `peer…
- CVE-2026-53085HIGHCVSS 7.8EG 7.82026-06-24
In the Linux kernel, the following vulnerability has been resolved: bpf: fix mm lifecycle in open-coded task_vma iterator The open-coded task_vma iterator reads task->mm locklessly and acquires mmap_read_trylock() but never calls mmget()…
- CVE-2026-54778MEDIUMCVSS 6.2EG 6.22026-06-19
CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. Prior to 1.8.1 and 1.9.1, CoreWCF UnixDomainSocket POSIX peer identity resolution uses non-reentrant getpwuid and getgrgid calls, allowing concur…
- CVE-2026-57435HIGHCVSS 7.5EG 7.52026-06-25
Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri’s CRuby native extension could leave a Ruby wrapper pointing to freed memory when replacing the value of an XML attribute. If Ru…
- CVE-2026-58592HIGHCVSS 8.3EG 8.32026-07-01
Ladybird contains a dangling-reference memory-safety flaw in its WebAssembly ESM-integration module loader. When a JavaScript function is imported into a WebAssembly module via the ESM path, WebAssemblyModule.cpp passes a stack-local Wasm:…
- CVE-2026-6040HIGHCVSS 7.3EG 7.32026-06-15
A heap use-after-free existed when importing the blank-width characters of an ODF number format. A position value read from the document was not checked against the length of the format-code string, so a malformed number format could be pr…
- CVE-2026-6100HIGHCVSS 8.1EG 9.12026-04-13
Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if t…
- CVE-2026-6722CRITICALCVSS 9.8EG 9.82026-05-10
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension's object deduplication mechanism stores pointers to PHP objects in a global map without incrementing their reference…
- CVE-2026-6746HIGHCVSS 7.5EG 7.52026-04-21
Use-after-free in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
- CVE-2026-6747HIGHCVSS 7.5EG 7.52026-04-21
Use-after-free in the WebRTC component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
- CVE-2026-6754HIGHCVSS 7.5EG 7.52026-04-21
Use-after-free in the JavaScript Engine component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
- CVE-2026-7111HIGHCVSS 8.4EG 8.42026-04-29
Text::CSV_XS versions before 1.62 for Perl have a use-after-free when registered callbacks extend the Perl argument stack, which may enable type confusion or memory corruption. The Parse, print, getline, and getline_all methods invoke reg…
- CVE-2026-8090HIGHCVSS 7.3EG 7.32026-05-07
Use-after-free in the DOM: Networking component. This vulnerability was fixed in Firefox 150.0.2, Firefox ESR 140.10.2, Firefox ESR 115.35.2, Thunderbird 150.0.2, and Thunderbird 140.10.2.
- CVE-2026-8390HIGHCVSS 7.3EG 7.32026-05-12
Use-after-free in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 150.0.3.
- CVE-2026-8854HIGHCVSS 7.5EG 7.52026-05-26
IBM HTTP Server 8.5, and 9.0 is vulnerable to denial of service via the optional module mod_mem_cache.
- CVE-2026-8947HIGHCVSS 7.3EG 7.32026-05-19
Use-after-free in the DOM: Bindings (WebIDL) component. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
Map vulnerabilities like CWE-825 to your infrastructure
EchelonGraph correlates every CVE — across CWE-825 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →