use-after-free

On May 21, 2026, CVE-2026-43497 was published for a Linux kernel flaw in the udlfb framebuffer driver, where mapped DisplayLink-style USB framebuffer memory could remain accessible after the backing kernel pages were freed. The bug is narrow, technical, and not yet scored by NVD, but it lands in...

CVE-2026-43303 is a Linux kernel use-after-free vulnerability published by NVD on May 8, 2026, sourced from kernel.org, affecting kernel versions from 5.18 through pre-fixed stable releases and rated High by kernel.org under CVSS 3.1. The bug sits in the memory allocator, not in a flashy network...

Microsoft disclosed CVE-2026-40402 on May 12, 2026, as a Critical Windows Hyper-V elevation-of-privilege vulnerability in its May Patch Tuesday release, describing a use-after-free flaw that can let an attacker in a guest virtual machine gain SYSTEM privileges on the Hyper-V host. The...

Microsoft published CVE-2026-40410 on May 12, 2026, identifying it as an Important-rated Windows SMB Client elevation-of-privilege flaw caused by use-after-free behavior, with an official fix available across supported Windows client and server releases and no public disclosure or exploitation...

Microsoft disclosed CVE-2026-40366 on May 12, 2026, as a Critical Microsoft Word remote code execution vulnerability affecting supported Office, Word 2016, Microsoft 365 Apps for Enterprise, Office LTSC, Office 2019, and Office for Mac releases, with official fixes available through Microsoft’s...

On May 6, 2026, CVE-2026-7901 entered the vulnerability databases as a high-severity use-after-free flaw in ANGLE affecting Google Chrome on macOS before version 148.0.7778.96, allowing remote code execution inside Chrome’s sandbox through a crafted HTML page. The dry wording hides the more...

CVE-2026-7908 is a high-severity Chromium vulnerability disclosed on May 6, 2026, affecting Google Chrome before version 148.0.7778.96, where a use-after-free bug in the Fullscreen component could let a remote attacker attempt a sandbox escape through a crafted HTML page. That sentence sounds...

Google disclosed CVE-2026-7956 on May 6, 2026, as a medium-severity use-after-free flaw in Chrome’s Navigation component, fixed in Chrome 148.0.7778.96 for Linux and 148.0.7778.96/97 for Windows and macOS, with potential sandbox escape after renderer compromise. That one-line description sounds...

Google and Microsoft disclosed CVE-2026-7970 on May 6, 2026, as a use-after-free flaw in Chromium’s TopChrome component affecting Google Chrome before version 148.0.7778.96 and Chromium-based Microsoft Edge builds that consume the same upstream fix. The bug is not the loudest vulnerability in...

CVE-2026-7984 is a newly published Chromium use-after-free vulnerability in Chrome’s ReadingMode component, fixed in Google Chrome 148.0.7778.96 for Linux and 148.0.7778.96/97 for Windows and macOS after disclosure on May 6, 2026, and tracked by Microsoft because Edge inherits Chromium security...

Chrome’s CVE-2026-8001, disclosed May 6, 2026 and fixed in Chrome 148.0.7778.96 for Linux and 148.0.7778.96/97 for Windows and Mac, is a printing-component use-after-free flaw that could help a renderer-compromising attacker escape the browser sandbox on Linux, macOS, and ChromeOS. That is the...

Google and Microsoft disclosed CVE-2026-8002 on May 6 and May 7, 2026, describing a use-after-free flaw in Chrome’s Audio component on macOS before version 148.0.7778.96 that could let a remote attacker execute code inside Chrome’s sandbox through a crafted HTML page. The oddity is not that...

Google and Microsoft disclosed CVE-2026-7335 on April 28, 2026, after Chrome’s stable desktop update to 147.0.7727.137/138 fixed a high-severity use-after-free flaw in Chromium’s media component that could let a remote attacker run code inside the browser sandbox through a crafted HTML page. The...

Google and Microsoft patched CVE-2026-7349 this week after Chrome’s Cast component was found vulnerable to a high-severity use-after-free flaw that could let an attacker on the same local network segment execute code inside Chrome’s sandbox through malicious network traffic. The fixed Chrome...

Google and Microsoft disclosed CVE-2026-7358 on April 28, 2026, as a high-severity use-after-free flaw in Chrome’s Animation component affecting Google Chrome before version 147.0.7727.138, with exploitation possible through a crafted HTML page that can execute code inside Chrome’s sandbox. The...

Google disclosed CVE-2026-7359 on April 28, 2026, as a high-severity use-after-free flaw in Chrome’s ANGLE graphics layer before version 147.0.7727.138, enabling a renderer-compromising attacker to potentially escape the browser sandbox through a crafted HTML page on desktop platforms. The...

Google disclosed CVE-2026-7343 on April 28, 2026, as a critical use-after-free flaw in Chrome’s Views component on Windows before version 147.0.7727.138, enabling a renderer-compromising attacker to potentially escape the browser sandbox via crafted HTML. That dry sentence is the whole drama in...

CVE-2026-31581 is a newly published Linux kernel vulnerability in the ALSA 6fire USB audio driver, and while it is not a Windows flaw, it matters to many WindowsForum readers who dual-boot, run Linux audio workstations, maintain WSL environments, or manage mixed Windows/Linux fleets. The bug is...

In the Linux kernel’s CAN subsystem, CVE-2026-31532 closes a use-after-free bug in the raw socket receive path, specifically in raw_rcv(). The flaw is subtle but important: raw_release() unregisters CAN receive filters while receiver deletion is deferred via call_rcu(), creating a window where...

Linux administrators are waking up to a new XFS kernel flaw that looks deceptively small in code but serious in consequence. CVE-2026-31453 affects the Linux kernel’s XFS journaling path, where tracepoint code can dereference a log item after a push callback has already made it eligible for...