You are using an out of date browser. It may not display this or other websites correctly. You should upgrade or use an alternative browser.
use-after-free
About this tag
The use-after-free tag on WindowsForum covers memory corruption vulnerabilities where a program continues to use a pointer after the referenced memory has been freed, leading to potential code execution or sandbox escape. Recent discussions focus on high-severity CVEs in Google Chrome and Microsoft Edge (Chromium-based) disclosed in June 2026, including flaws in Autofill, Blink, Bluetooth, Digital Credentials, FileSystem, and Printing components. One thread also addresses a Linux kernel use-after-free in PPPoL2TP that appeared in Microsoft's Security Update Guide. The tag emphasizes patch management for Windows users, browser security updates, and the importance of updating to Chrome 149.0.7827.197 or later, as well as corresponding Edge builds.
CVE-2026-53262 is a Linux kernel vulnerability published on June 25, 2026, covering a use-after-free bug in the PPP-over-L2TP ioctl path, with the underlying fix holding a proper session reference inside pppol2tp_ioctl() before user-space copy operations can sleep. For WindowsForum readers, the...
CVE-2026-13038 is a critical use-after-free flaw in Google Chrome’s Autofill component on Windows, disclosed June 24, 2026, and fixed for affected Chrome users by updating to version 149.0.7827.197 or later after Google’s late-June Stable Channel desktop release. The uncomfortable part is not...
Google disclosed CVE-2026-13031 on June 24, 2026, as a high-severity use-after-free flaw in Chrome’s Blink rendering engine, fixed in desktop Chrome 149.0.7827.196/197 and capable of letting a remote attacker execute code inside Chrome’s sandbox through a crafted HTML page. That sounds like the...
CVE-2026-13035 is a high-severity use-after-free vulnerability in Google Chrome’s Bluetooth code on macOS, disclosed June 24, 2026, and fixed for Mac users in Chrome 149.0.7827.197 after Google’s Stable Channel desktop update. The short version is simple: if Chrome on a Mac is older than that...
Google disclosed CVE-2026-13026 on June 24, 2026, as a high-severity use-after-free flaw in Chrome’s Digital Credentials implementation on macOS, fixed in Chrome 149.0.7827.197 after a crafted HTML page could potentially trigger heap corruption with user interaction. The advisory is narrow, but...
CVE-2026-13027 is a high-severity use-after-free flaw in Google Chrome’s FileSystem component, disclosed June 24, 2026, fixed before Chrome 149.0.7827.197, and exploitable by a remote attacker through a crafted HTML page if a user visits it in a vulnerable browser. The short version for...
Microsoft documents CVE-2026-12462 in the Security Update Guide because the bug lives in Chromium open-source code used by Microsoft Edge, and the June 2026 Edge update notice tells Windows administrators that current Chromium-based Edge builds are no longer vulnerable. That distinction matters...
Google’s CVE-2026-11647 is a high-severity use-after-free flaw in Chrome’s Printing component on Android, disclosed June 8, 2026, affecting versions before 149.0.7827.103 and potentially allowing a renderer-compromising attacker to escape the browser sandbox with a crafted HTML page. That is the...
Google disclosed CVE-2026-11700 on June 8, 2026, as a use-after-free flaw in Chrome’s Tracing component before version 149.0.7827.103 that could let an attacker who already compromised the renderer process attempt a sandbox escape through a crafted HTML page. That description sounds narrow...
Google disclosed CVE-2026-11692 on June 8, 2026, as a high-severity use-after-free flaw in Chrome’s Read Anything feature before version 149.0.7827.103, where a crafted HTML page could help an attacker who had already compromised the renderer process attempt a sandbox escape. That phrasing is...
Google Chrome before 149.0.7827.103 contains CVE-2026-11683, a high-severity use-after-free flaw in WebCodecs disclosed on June 8, 2026, that can let a remote attacker run arbitrary code inside Chrome’s sandbox when a user opens a crafted HTML page. The practical instruction is simple: update...
CVE-2026-11681 is a high-severity Google Chrome vulnerability disclosed on June 8, 2026, affecting Chrome on Linux before version 149.0.7827.103 and allowing a remote attacker to potentially trigger heap corruption through a crafted HTML page. The bug sits in Ozone, Chrome’s platform-abstraction...
Google assigned CVE-2026-11673 to a high-severity use-after-free flaw in Chrome’s InterestGroups component, fixed in Chrome 149.0.7827.103 for Windows and macOS before June 9, 2026, after NVD published the entry on June 8. The exploit condition is brutally familiar: a crafted HTML page, user...
Google disclosed CVE-2026-11671 on June 8, 2026, as a high-severity use-after-free flaw in Chrome’s Navigation component affecting desktop Chrome versions before 149.0.7827.103, with exploitation possible through a crafted HTML page and potential sandbox escape. That is the kind of browser bug...
Google Chrome CVE-2026-11664 is a high-severity use-after-free flaw in Chrome’s Payments component, disclosed June 8, 2026, affecting Chrome versions before 149.0.7827.103 and potentially exploitable by a remote attacker through a crafted HTML page. The bug is not the headline-grabbing zero-day...
CVE-2026-11663 is a high-severity Google Chrome vulnerability published on June 8, 2026, affecting Chrome versions before 149.0.7827.103, where a use-after-free flaw in Skia could let an attacker who already compromised the renderer attempt a sandbox escape through crafted HTML. That is the dry...
Google disclosed CVE-2026-11661 on June 8, 2026, as a high-severity Windows-only Chrome use-after-free flaw in the browser’s Views component, fixed before version 149.0.7827.103 and capable of helping an attacker escape the renderer sandbox after a separate renderer compromise. That last...
Google assigned CVE-2026-11657 to a high-severity use-after-free flaw in Chrome’s Payments component on macOS, fixed in Chrome 149.0.7827.103 after disclosure on June 8, 2026, with NVD and CISA-ADP describing a crafted HTML page as the remote attack path. The short version is simple: Mac users...
Google fixed CVE-2026-11641 on June 8, 2026, in Chrome’s Stable Channel update for desktop, closing a critical Windows-only use-after-free flaw in the browser’s Bluetooth code before version 149.0.7827.103 that could let a remote attacker execute code through a crafted web page. The detail that...
Google Chrome on macOS before version 149.0.7827.103 contained CVE-2026-11637, a critical use-after-free flaw in the browser’s Views UI framework that could let a remote attacker execute arbitrary code through a crafted HTML page. The bug was published by Chrome on June 8, 2026, enriched by CISA...