CWE-825
AllowedExpired Pointer Dereference
Abstraction: Base · Status: Incomplete
The product dereferences a pointer that contains a location for memory that was previously valid, but is no longer valid.
105 vulnerabilities reference this CWE, most recent first.
GHSA-9PG8-4HVG-H64M
Vulnerability from github – Published: 2026-04-01 15:31 – Updated: 2026-04-01 15:31A flaw was found in libinput. An attacker capable of deploying a Lua plugin file in specific system directories can exploit a dangling pointer vulnerability. This occurs when a garbage collection cleanup function is called, leaving a pointer that can then be printed to system logs. This could potentially expose sensitive data if the memory location is re-used, leading to information disclosure. For this exploit to work, Lua plugins must be enabled in libinput and loaded by the compositor.
{
"affected": [],
"aliases": [
"CVE-2026-35094"
],
"database_specific": {
"cwe_ids": [
"CWE-825"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-01T14:16:57Z",
"severity": "LOW"
},
"details": "A flaw was found in libinput. An attacker capable of deploying a Lua plugin file in specific system directories can exploit a dangling pointer vulnerability. This occurs when a garbage collection cleanup function is called, leaving a pointer that can then be printed to system logs. This could potentially expose sensitive data if the memory location is re-used, leading to information disclosure. For this exploit to work, Lua plugins must be enabled in libinput and loaded by the compositor.",
"id": "GHSA-9pg8-4hvg-h64m",
"modified": "2026-04-01T15:31:15Z",
"published": "2026-04-01T15:31:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35094"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-35094"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453840"
},
{
"type": "WEB",
"url": "https://gitlab.freedesktop.org/libinput/libinput/-/work_items/1272"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9QJ4-WR4G-7M6F
Vulnerability from github – Published: 2026-06-24 18:32 – Updated: 2026-06-30 03:37In the Linux kernel, the following vulnerability has been resolved:
futex: Drop CLONE_THREAD requirement for private default hash alloc
Currently need_futex_hash_allocate_default() depends on strict pthread semantics, abusing CLONE_THREAD. This breaks the non-concurrency assumptions when doing the mm->futex_ref pcpu allocations, leading to bugs[0] when sharing the mm in other ways; ie:
BUG: KASAN: slab-use-after-free in futex_hash_put
... where the +1 bias can end up on a percpu counter that mm->futex_ref no longer points at.
Loosen the check to cover any CLONE_VM clone, except vfork(). Excluding vfork keeps the existing paths untouched (no overhead), and we can't race in the first place: either the parent is suspended and the child runs alone, or mm->futex_ref is already allocated from an earlier CLONE_VM.
{
"affected": [],
"aliases": [
"CVE-2026-52973"
],
"database_specific": {
"cwe_ids": [
"CWE-416",
"CWE-825"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-24T17:17:07Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nfutex: Drop CLONE_THREAD requirement for private default hash alloc\n\nCurrently need_futex_hash_allocate_default() depends on strict pthread\nsemantics, abusing CLONE_THREAD. This breaks the non-concurrency\nassumptions when doing the mm-\u003efutex_ref pcpu allocations, leading to\nbugs[0] when sharing the mm in other ways; ie:\n\n BUG: KASAN: slab-use-after-free in futex_hash_put\n\n... where the +1 bias can end up on a percpu counter that mm-\u003efutex_ref\nno longer points at.\n\nLoosen the check to cover any CLONE_VM clone, except vfork(). Excluding\nvfork keeps the existing paths untouched (no overhead), and we can\u0027t\nrace in the first place: either the parent is suspended and the child\nruns alone, or mm-\u003efutex_ref is already allocated from an earlier\nCLONE_VM.",
"id": "GHSA-9qj4-wr4g-7m6f",
"modified": "2026-06-30T03:37:12Z",
"published": "2026-06-24T18:32:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-52973"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-52973"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2492413"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1dcd36420af2da5bd59306dba9caf78e3d248b1d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/974ac49a9a068b0591a59f65c63eb06579a13091"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ee9dce44362b2d8132c32964656ab6dff7dfbc6a"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-52973.json"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C52J-4PG6-8F2F
Vulnerability from github – Published: 2026-06-24 18:32 – Updated: 2026-06-30 03:37In the Linux kernel, the following vulnerability has been resolved:
drm/xe: Fix error cleanup in xe_exec_queue_create_ioctl()
Two error handling issues exist in xe_exec_queue_create_ioctl():
-
When xe_hw_engine_group_add_exec_queue() fails, the error path jumps to put_exec_queue which skips xe_exec_queue_kill(). If the VM is in preempt fence mode, xe_vm_add_compute_exec_queue() has already added the queue to the VM's compute exec queue list. Skipping the kill leaves the queue on that list, leading to a dangling pointer after the queue is freed.
-
When xa_alloc() fails after xe_hw_engine_group_add_exec_queue() has succeeded, the error path does not call xe_hw_engine_group_del_exec_queue() to remove the queue from the hw engine group list. The queue is then freed while still linked into the hw engine group, causing a use-after-free.
Fix both by: - Changing the xe_hw_engine_group_add_exec_queue() failure path to jump to kill_exec_queue so that xe_exec_queue_kill() properly removes the queue from the VM's compute list. - Adding a del_hw_engine_group label before kill_exec_queue for the xa_alloc() failure path, which removes the queue from the hw engine group before proceeding with the rest of the cleanup.
(cherry picked from commit 37c831f401746a45d510b312b0ed7a77b1e06ec8)
{
"affected": [],
"aliases": [
"CVE-2026-52976"
],
"database_specific": {
"cwe_ids": [
"CWE-416",
"CWE-825"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-24T17:17:08Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Fix error cleanup in xe_exec_queue_create_ioctl()\n\nTwo error handling issues exist in xe_exec_queue_create_ioctl():\n\n1. When xe_hw_engine_group_add_exec_queue() fails, the error path jumps\n to put_exec_queue which skips xe_exec_queue_kill(). If the VM is in\n preempt fence mode, xe_vm_add_compute_exec_queue() has already added\n the queue to the VM\u0027s compute exec queue list. Skipping the kill\n leaves the queue on that list, leading to a dangling pointer after\n the queue is freed.\n\n2. When xa_alloc() fails after xe_hw_engine_group_add_exec_queue() has\n succeeded, the error path does not call\n xe_hw_engine_group_del_exec_queue() to remove the queue from the hw\n engine group list. The queue is then freed while still linked into\n the hw engine group, causing a use-after-free.\n\nFix both by:\n- Changing the xe_hw_engine_group_add_exec_queue() failure path to jump\n to kill_exec_queue so that xe_exec_queue_kill() properly removes the\n queue from the VM\u0027s compute list.\n- Adding a del_hw_engine_group label before kill_exec_queue for the\n xa_alloc() failure path, which removes the queue from the hw engine\n group before proceeding with the rest of the cleanup.\n\n(cherry picked from commit 37c831f401746a45d510b312b0ed7a77b1e06ec8)",
"id": "GHSA-c52j-4pg6-8f2f",
"modified": "2026-06-30T03:37:12Z",
"published": "2026-06-24T18:32:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-52976"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-52976"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2492284"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1be55646d8a2035343b012dcb12210db7bb8b056"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/753b149d5a433eb19e0c1b0eb4526a6e26120d1f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f3cc22d4df3ed58439ea7e21daa54c3608e03b78"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f93b00161213a0fe9f7ff1d8498ee5ca9e0a5c43"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-52976.json"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CJGM-66PW-5R9R
Vulnerability from github – Published: 2026-04-23 18:33 – Updated: 2026-06-30 03:36A flaw was found in the X.Org X server. This use-after-free vulnerability occurs in the XSYNC fence triggering logic, specifically within the miSyncTriggerFence() function. An attacker with access to the X11 server can exploit this without user interaction, leading to a server crash and potentially enabling memory corruption. This could result in a denial of service or further compromise of the system.
{
"affected": [],
"aliases": [
"CVE-2026-34001"
],
"database_specific": {
"cwe_ids": [
"CWE-825"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-23T16:16:24Z",
"severity": "HIGH"
},
"details": "A flaw was found in the X.Org X server. This use-after-free vulnerability occurs in the XSYNC fence triggering logic, specifically within the miSyncTriggerFence() function. An attacker with access to the X11 server can exploit this without user interaction, leading to a server crash and potentially enabling memory corruption. This could result in a denial of service or further compromise of the system.",
"id": "GHSA-cjgm-66pw-5r9r",
"modified": "2026-06-30T03:36:22Z",
"published": "2026-04-23T18:33:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34001"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:10739"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:20576"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:20590"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:21699"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:21712"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:21715"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:21716"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:21718"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:21741"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:21742"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:22424"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:22456"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:23254"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:23255"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:23496"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:24341"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-34001"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451109"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-34001.json"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:11352"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:11369"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:11388"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:11656"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:11692"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:13414"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19125"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19342"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19343"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19344"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:20547"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:20555"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:20557"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:20558"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:20560"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:20561"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:20562"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:20563"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:20575"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CVPF-J74M-QJRJ
Vulnerability from github – Published: 2026-06-16 15:33 – Updated: 2026-07-15 12:31Use-after-free in the Networking: HTTP component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, and Firefox ESR 115.37.
{
"affected": [],
"aliases": [
"CVE-2026-12291"
],
"database_specific": {
"cwe_ids": [
"CWE-416",
"CWE-825"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-16T13:16:29Z",
"severity": "HIGH"
},
"details": "Use-after-free in the Networking: HTTP component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, and Firefox ESR 115.37.",
"id": "GHSA-cvpf-j74m-qjrj",
"modified": "2026-07-15T12:31:48Z",
"published": "2026-06-16T15:33:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12291"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-61"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-60"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-59"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-58"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-57"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-12291.json"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2489244"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2036929"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-12291"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:39706"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:39428"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:39142"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:39141"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:39011"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:38753"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:38751"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:38750"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:38506"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:37391"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:37210"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:36103"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:36102"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:36101"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:36100"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:33445"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:30846"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:29940"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:27734"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:27733"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:27717"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F2FG-XHHC-4M4W
Vulnerability from github – Published: 2026-06-24 18:32 – Updated: 2026-06-30 03:37In the Linux kernel, the following vulnerability has been resolved:
ipv6: fix possible UAF in icmpv6_rcv()
Caching saddr and daddr before pskb_pull() is problematic since skb->head can change.
Remove these temporary variables:
-
We only access &ipv6_hdr(skb)->saddr and &ipv6_hdr(skb)->daddr when net_dbg_ratelimited() is called in the slow path.
-
Avoid potential future misuse after pskb_pull() call.
{
"affected": [],
"aliases": [
"CVE-2026-53006"
],
"database_specific": {
"cwe_ids": [
"CWE-416",
"CWE-825"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-24T17:17:11Z",
"severity": "CRITICAL"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: fix possible UAF in icmpv6_rcv()\n\nCaching saddr and daddr before pskb_pull() is problematic\nsince skb-\u003ehead can change.\n\nRemove these temporary variables:\n\n- We only access \u0026ipv6_hdr(skb)-\u003esaddr and \u0026ipv6_hdr(skb)-\u003edaddr\n when net_dbg_ratelimited() is called in the slow path.\n\n- Avoid potential future misuse after pskb_pull() call.",
"id": "GHSA-f2fg-xhhc-4m4w",
"modified": "2026-06-30T03:37:13Z",
"published": "2026-06-24T18:32:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53006"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-53006"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2492363"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0069813e6ca9309eca78022bcb3aeb1e9ef90a12"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/085e31a811ef234ef8c3e219c4636dfebfe7e10f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1e1f0f89ee4692a64be3f3707ff8ac1ae57b03e7"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/38bdbc897c0d83a3e2b925a51b69420f1feba29a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7bff2c8fe5c35ae58bf73104f53db3676e6e5d94"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7c66b368c6ff453f99cb39d84af93e908e51eef2"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/aff0f28f5be803de2452ce702631c021fcd9ce8a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f996edd7615e686ada141b7f3395025729ff8ccb"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-53006.json"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F684-CPCQ-J565
Vulnerability from github – Published: 2026-06-09 18:30 – Updated: 2026-07-15 15:32Issue summary: A specially crafted PKCS#7 or S/MIME signed message could trigger a use-after-free during PKCS#7 signature verification.
Impact summary: A use-after-free may result in process crashes, heap corruption, or potentially remote code execution.
When processing a PKCS#7 or S/MIME signed message, if the SignedData digestAlgorithms field is present as an empty ASN.1 SET, OpenSSL may incorrectly free a caller-owned BIO during PKCS7_verify(). A subsequent use of the BIO by the calling application results in a use-after-free condition.
In the common case this occurs when the application later calls BIO_free() on the BIO originally passed to PKCS7_verify(). Depending on allocator behavior and application-specific BIO usage patterns, this may result in a crash or other memory corruption. In some application contexts this may potentially be exploitable for remote code execution.
Applications that process PKCS#7 or S/MIME signed messages using OpenSSL PKCS#7 APIs may be affected. Applications using the CMS APIs for this processing are not affected.
The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.
{
"affected": [],
"aliases": [
"CVE-2026-45447"
],
"database_specific": {
"cwe_ids": [
"CWE-416",
"CWE-825"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-09T17:17:19Z",
"severity": "CRITICAL"
},
"details": "Issue summary: A specially crafted PKCS#7 or S/MIME signed message could\ntrigger a use-after-free during PKCS#7 signature verification.\n\nImpact summary: A use-after-free may result in process crashes, heap\ncorruption, or potentially remote code execution.\n\nWhen processing a PKCS#7 or S/MIME signed message, if the SignedData\ndigestAlgorithms field is present as an empty ASN.1 SET, OpenSSL may\nincorrectly free a caller-owned BIO during PKCS7_verify(). A subsequent\nuse of the BIO by the calling application results in a use-after-free\ncondition.\n\nIn the common case this occurs when the application later calls\nBIO_free() on the BIO originally passed to PKCS7_verify(). Depending\non allocator behavior and application-specific BIO usage patterns, this\nmay result in a crash or other memory corruption. In some application\ncontexts this may potentially be exploitable for remote code execution.\n\nApplications that process PKCS#7 or S/MIME signed messages using OpenSSL\nPKCS#7 APIs may be affected. Applications using the CMS APIs for this\nprocessing are not affected.\n\nThe FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this\nissue, as the affected code is outside the OpenSSL FIPS module boundary.",
"id": "GHSA-f684-cpcq-j565",
"modified": "2026-07-15T15:32:43Z",
"published": "2026-06-09T18:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45447"
},
{
"type": "WEB",
"url": "https://github.com/openssl/security/commit/c505d7559da5d5f9f2c3913c6883a5562ce7273e"
},
{
"type": "WEB",
"url": "https://github.com/openssl/security/commit/a541ae8bfe849a30cc885e8780715c0f488e496c"
},
{
"type": "WEB",
"url": "https://github.com/openssl/security/commit/9dfd688ad2290fc5075cacbc9bf0c9a93eefed54"
},
{
"type": "WEB",
"url": "https://github.com/openssl/security/commit/7d4a980c62258c5910cc883936e0c8dbab4d75a8"
},
{
"type": "WEB",
"url": "https://github.com/openssl/security/commit/3aad5eb7af4de4ee0633c30a8541a54d9bbde63c"
},
{
"type": "WEB",
"url": "https://github.com/openssl/openssl/commit/c505d7559da5d5f9f2c3913c6883a5562ce7273e"
},
{
"type": "WEB",
"url": "https://github.com/openssl/openssl/commit/a541ae8bfe849a30cc885e8780715c0f488e496c"
},
{
"type": "WEB",
"url": "https://github.com/openssl/openssl/commit/9dfd688ad2290fc5075cacbc9bf0c9a93eefed54"
},
{
"type": "WEB",
"url": "https://github.com/openssl/openssl/commit/7d4a980c62258c5910cc883936e0c8dbab4d75a8"
},
{
"type": "WEB",
"url": "https://github.com/openssl/openssl/commit/3aad5eb7af4de4ee0633c30a8541a54d9bbde63c"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-45447.json"
},
{
"type": "WEB",
"url": "https://openssl-library.org/news/secadv/20260609.txt"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481898"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-45447"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:39981"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:39012"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:39009"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:36217"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:36215"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:35869"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:34102"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:29197"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:26319"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:26275"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:25239"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:25237"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F953-7679-XC38
Vulnerability from github – Published: 2026-06-30 12:31 – Updated: 2026-06-30 12:31A flaw was found in sssd. When authenticating with a YubiKey, the SSSD PAM responder can crash due to a use-after-free vulnerability, where a memory pointer is incorrectly handled. A local attacker could exploit this flaw by manipulating smartcard or YubiKey contents, leading to a denial of service that disrupts authentication. This vulnerability also presents a potential for privilege escalation, although it is difficult to exploit.
{
"affected": [],
"aliases": [
"CVE-2026-12610"
],
"database_specific": {
"cwe_ids": [
"CWE-825"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-30T10:16:34Z",
"severity": "MODERATE"
},
"details": "A flaw was found in sssd. When authenticating with a YubiKey, the SSSD PAM responder can crash due to a use-after-free vulnerability, where a memory pointer is incorrectly handled. A local attacker could exploit this flaw by manipulating smartcard or YubiKey contents, leading to a denial of service that disrupts authentication. This vulnerability also presents a potential for privilege escalation, although it is difficult to exploit.",
"id": "GHSA-f953-7679-xc38",
"modified": "2026-06-30T12:31:51Z",
"published": "2026-06-30T12:31:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12610"
},
{
"type": "WEB",
"url": "https://github.com/SSSD/sssd/issues/8796"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-12610"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2490288"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G23F-VWRR-7M5P
Vulnerability from github – Published: 2025-09-25 18:30 – Updated: 2026-06-30 00:31A use-after-free vulnerability was found in libxslt while parsing xsl nodes that may lead to the dereference of expired pointers and application crash.
{
"affected": [],
"aliases": [
"CVE-2025-10911"
],
"database_specific": {
"cwe_ids": [
"CWE-825"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-25T16:15:31Z",
"severity": "MODERATE"
},
"details": "A use-after-free vulnerability was found in libxslt while parsing xsl nodes that may lead to the dereference of expired pointers and application crash.",
"id": "GHSA-g23f-vwrr-7m5p",
"modified": "2026-06-30T00:31:28Z",
"published": "2025-09-25T18:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10911"
},
{
"type": "WEB",
"url": "https://gitlab.gnome.org/GNOME/libxslt/-/merge_requests/77"
},
{
"type": "WEB",
"url": "https://gitlab.gnome.org/GNOME/libxslt/-/issues/144"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2397838"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2025-10911"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:33313"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:30847"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:29976"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:29975"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:29814"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:29811"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:29809"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:29807"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:28584"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:28243"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:26355"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:11015"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G7MG-6RH4-C572
Vulnerability from github – Published: 2022-02-09 00:00 – Updated: 2022-03-17 00:05Expired Pointer Dereference in NPM radare2.js prior to 5.6.2.
{
"affected": [],
"aliases": [
"CVE-2022-0523"
],
"database_specific": {
"cwe_ids": [
"CWE-119",
"CWE-825"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-08T21:15:00Z",
"severity": "HIGH"
},
"details": "Expired Pointer Dereference in NPM radare2.js prior to 5.6.2.",
"id": "GHSA-g7mg-6rh4-c572",
"modified": "2022-03-17T00:05:51Z",
"published": "2022-02-09T00:00:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0523"
},
{
"type": "WEB",
"url": "https://github.com/radareorg/radare2/commit/35482cb760db10f87a62569e2f8872dbd95e9269"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/9d8d6ae0-fe00-40b9-ae1e-b0e8103bac69"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BZTIMAS53YT66FUS4QHQAFRJOBMUFG6D"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E6YBRQ3UCFWJVSOYIKPVUDASZ544TFND"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Choose a language that provides automatic memory management.
Mitigation
When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
No CAPEC attack patterns related to this CWE.