CWE-416
AllowedUse After Free
Abstraction: Variant · Status: Stable
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
9821 vulnerabilities reference this CWE, most recent first.
CVE-2026-14178 (GCVE-0-2026-14178)
Vulnerability from cvelistv5 – Published: 2026-06-30 13:56 – Updated: 2026-06-30 14:40- CWE-416 - Use after free
| Vendor | Product | Version | |
|---|---|---|---|
| openGauss-server | openGauss-server-7.0.0-RC2 |
Affected:
openGauss-server-7.0.0-RC2
|
|
| openGauss-server | openGauss-server-7.0.0-RC1 |
Affected:
openGauss-server-7.0.0-RC1
|
|
| openGauss-server | openGauss-server-7.0.0-RC3 |
Unaffected:
openGauss-server-7.0.0-RC3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-14178",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-30T14:39:56.155795Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T14:40:10.603Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://opengauss.org/zh/download/archive/?version=7.0.0-RC2",
"defaultStatus": "affected",
"platforms": [
"openEuler",
"Centos"
],
"product": "openGauss-server-7.0.0-RC2",
"vendor": "openGauss-server",
"versions": [
{
"status": "affected",
"version": "openGauss-server-7.0.0-RC2"
}
]
},
{
"collectionURL": "https://opengauss.org/zh/download/archive/?version=7.0.0-RC1",
"defaultStatus": "affected",
"platforms": [
"openEuler",
"Centos"
],
"product": "openGauss-server-7.0.0-RC1",
"vendor": "openGauss-server",
"versions": [
{
"status": "affected",
"version": "openGauss-server-7.0.0-RC1"
}
]
},
{
"collectionURL": "https://opengauss.org/zh/download/archive/?version=7.0.0-RC3",
"defaultStatus": "unaffected",
"platforms": [
"openEuler Centos"
],
"product": "openGauss-server-7.0.0-RC3",
"vendor": "openGauss-server",
"versions": [
{
"status": "unaffected",
"version": "openGauss-server-7.0.0-RC3"
}
]
}
],
"datePublic": "2026-06-30T07:53:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u0026nbsp;openGauss \u5728\u5904\u7406\u5e26 NLS \u53c2\u6570\u7684 to_timestamp \u8c03\u7528\u65f6\uff0cto_timestamp_with_fmt_nls() \u4f1a\u5c06 nls_fmt_str \u4fdd\u5b58\u5230 u_sess-\u0026gt;parser_cxt.nls_fmt_str\u3002\u5728 seqscan + sort \u6267\u884c\u8def\u5f84\u4e0b\uff0c\u8be5\u5b57\u7b26\u4e32\u539f\u672c\u88ab\u5206\u914d\u5728 SeqScan \u7684\u8868\u8fbe\u5f0f\u4e0a\u4e0b\u6587\u4e2d\uff1b\u5f53 SeqScan \u5b8c\u6210\u540e\uff0c\u8be5\u5185\u5b58\u4e0a\u4e0b\u6587\u4f1a\u88ab reset\uff0c\u4f46\u540e\u7eed\u7ed3\u679c\u8f93\u51fa\u9636\u6bb5 timestamp_out() \u4ecd\u4f1a\u901a\u8fc7 CheckNlsFormat() \u8bbf\u95ee u_sess-\u0026gt;parser_cxt.nls_fmt_str\uff0c\u5bfc\u81f4\u8bbf\u95ee\u5df2\u91ca\u653e\u5185\u5b58\u3002\u653b\u51fb\u8005\u5728\u5177\u5907\u6570\u636e\u5e93 SQL \u6267\u884c\u6743\u9650\u7684\u60c5\u51b5\u4e0b\uff0c\u53ef\u6784\u9020\u7279\u5b9a to_timestamp(..., ..., nlsparam) \u67e5\u8be2\u89e6\u53d1 heap-use-after-free\u3002\u5728 ASan/Memcheck \u73af\u5883\u4e0b\u8868\u73b0\u4e3a\u6570\u636e\u5e93\u670d\u52a1\u9000\u51fa\uff1b\u5728\u5b9e\u9645\u8fd0\u884c\u73af\u5883\u4e2d\u53ef\u80fd\u9020\u6210\u540e\u7aef\u8fdb\u7a0b\u5f02\u5e38\u9000\u51fa\uff0c\u5f71\u54cd\u6570\u636e\u5e93\u670d\u52a1\u53ef\u7528\u6027\uff0c\u5f62\u6210\u62d2\u7edd\u670d\u52a1\u98ce\u9669\u3002\u8be5\u95ee\u9898\u5728openGauss-server-7.0.0-RC1\u7248\u672c\u548copenGauss-server-7.0.0-RC2\u7248\u672c\u5b58\u5728\uff0c\u76ee\u524d\u5df2\u5728openGauss-server-7.0.0-RC3\u7248\u672c\u4fee\u590d\u3002\u7531\u4e8e\nopenGauss-server-7.0.0-RC1\u7248\u672c\u548copenGauss-server-7.0.0-RC2\u5747\u4e3a\u521b\u65b0\u7248\u672c\uff0c\u4e0d\u4f1a\u53d1\u5e03\u9488\u5bf9\u6027\u8865\u4e01\u5305\uff0c\u6d89\u53ca\u7248\u672c\u5347\u7ea7\u81f3\nopenGauss-server-7.0.0-RC3\u6216\u66f4\u65b0\u7248\u672c\u5373\u53ef\u3002"
}
],
"value": "openGauss \u5728\u5904\u7406\u5e26 NLS \u53c2\u6570\u7684 to_timestamp \u8c03\u7528\u65f6\uff0cto_timestamp_with_fmt_nls() \u4f1a\u5c06 nls_fmt_str \u4fdd\u5b58\u5230 u_sess-\u003eparser_cxt.nls_fmt_str\u3002\u5728 seqscan + sort \u6267\u884c\u8def\u5f84\u4e0b\uff0c\u8be5\u5b57\u7b26\u4e32\u539f\u672c\u88ab\u5206\u914d\u5728 SeqScan \u7684\u8868\u8fbe\u5f0f\u4e0a\u4e0b\u6587\u4e2d\uff1b\u5f53 SeqScan \u5b8c\u6210\u540e\uff0c\u8be5\u5185\u5b58\u4e0a\u4e0b\u6587\u4f1a\u88ab reset\uff0c\u4f46\u540e\u7eed\u7ed3\u679c\u8f93\u51fa\u9636\u6bb5 timestamp_out() \u4ecd\u4f1a\u901a\u8fc7 CheckNlsFormat() \u8bbf\u95ee u_sess-\u003eparser_cxt.nls_fmt_str\uff0c\u5bfc\u81f4\u8bbf\u95ee\u5df2\u91ca\u653e\u5185\u5b58\u3002\u653b\u51fb\u8005\u5728\u5177\u5907\u6570\u636e\u5e93 SQL \u6267\u884c\u6743\u9650\u7684\u60c5\u51b5\u4e0b\uff0c\u53ef\u6784\u9020\u7279\u5b9a to_timestamp(..., ..., nlsparam) \u67e5\u8be2\u89e6\u53d1 heap-use-after-free\u3002\u5728 ASan/Memcheck \u73af\u5883\u4e0b\u8868\u73b0\u4e3a\u6570\u636e\u5e93\u670d\u52a1\u9000\u51fa\uff1b\u5728\u5b9e\u9645\u8fd0\u884c\u73af\u5883\u4e2d\u53ef\u80fd\u9020\u6210\u540e\u7aef\u8fdb\u7a0b\u5f02\u5e38\u9000\u51fa\uff0c\u5f71\u54cd\u6570\u636e\u5e93\u670d\u52a1\u53ef\u7528\u6027\uff0c\u5f62\u6210\u62d2\u7edd\u670d\u52a1\u98ce\u9669\u3002\u8be5\u95ee\u9898\u5728openGauss-server-7.0.0-RC1\u7248\u672c\u548copenGauss-server-7.0.0-RC2\u7248\u672c\u5b58\u5728\uff0c\u76ee\u524d\u5df2\u5728openGauss-server-7.0.0-RC3\u7248\u672c\u4fee\u590d\u3002\u7531\u4e8e\nopenGauss-server-7.0.0-RC1\u7248\u672c\u548copenGauss-server-7.0.0-RC2\u5747\u4e3a\u521b\u65b0\u7248\u672c\uff0c\u4e0d\u4f1a\u53d1\u5e03\u9488\u5bf9\u6027\u8865\u4e01\u5305\uff0c\u6d89\u53ca\u7248\u672c\u5347\u7ea7\u81f3\nopenGauss-server-7.0.0-RC3\u6216\u66f4\u65b0\u7248\u672c\u5373\u53ef\u3002"
}
],
"impacts": [
{
"capecId": "CAPEC-469",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-469 HTTP DoS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use after free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T13:56:16.846Z",
"orgId": "a1a479f7-907b-4ae8-a999-9148cadc9224",
"shortName": "openGauss"
},
"references": [
{
"url": "https://gitcode.com/opengauss/openGauss-server/pull/8877"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "openGauss\u5b58\u5728\u975e\u6cd5\u5185\u5b58\u8bbf\u95ee\u5bfc\u81f4DoS\u6f0f\u6d1e",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "a1a479f7-907b-4ae8-a999-9148cadc9224",
"assignerShortName": "openGauss",
"cveId": "CVE-2026-14178",
"datePublished": "2026-06-30T13:56:16.846Z",
"dateReserved": "2026-06-30T07:37:54.949Z",
"dateUpdated": "2026-06-30T14:40:10.603Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-13713 (GCVE-0-2026-13713)
Vulnerability from cvelistv5 – Published: 2026-07-16 21:35 – Updated: 2026-07-17 13:18| Vendor | Product | Version | |
|---|---|---|---|
| TODDR | YAML::Syck |
Affected:
0 , < 1.47
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-07-17T03:02:25.421Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/07/17/1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-13713",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-17T13:17:36.382946Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-17T13:18:02.930Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "YAML-Syck",
"product": "YAML::Syck",
"programFiles": [
"handler.c",
"syck_.c",
"syck.h"
],
"programRoutines": [
{
"name": "syck_hdlr_add_anchor"
},
{
"name": "syck_hdlr_remove_anchor"
},
{
"name": "syck_hdlr_add_node"
}
],
"repo": "https://github.com/toddr/YAML-Syck",
"vendor": "TODDR",
"versions": [
{
"lessThan": "1.47",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "YAML::Syck versions before 1.47 for Perl allow a use-after-free and double-free via an anchor node freed while still on the parser value stack.\n\nIn the bundled libsyck, when an anchor name is redefined or removed, syck_hdlr_add_anchor and syck_hdlr_remove_anchor free the node stored under that name with syck_free_node. That node can still be live on the parser\u0027s value stack, so syck_hdlr_add_node reaches it again and frees it a second time. On a normal build the 48-byte node chunk is freed twice and the interpreter aborts. Anchors need no special flags, so this is reached on the default Load path, and a 7-byte document that redefines an anchor triggers it.\n\nAny caller that runs Load or LoadFile on an untrusted document that redefines an anchor mid-parse crashes the interpreter, a denial of service."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-415",
"description": "CWE-415 Double Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-16T21:35:31.477Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/TODDR/YAML-Syck-1.47/changes"
},
{
"tags": [
"patch"
],
"url": "https://github.com/toddr/YAML-Syck/commit/44c90a109ec3215ee7ce747bd11209835e123d8b.patch"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to YAML-Syck 1.47 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "YAML::Syck versions before 1.47 for Perl allow a use-after-free and double-free via an anchor node freed while still on the parser value stack",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-13713",
"datePublished": "2026-07-16T21:35:31.477Z",
"dateReserved": "2026-06-29T13:57:19.498Z",
"dateUpdated": "2026-07-17T13:18:02.930Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-13595 (GCVE-0-2026-13595)
Vulnerability from cvelistv5 – Published: 2026-06-29 08:06 – Updated: 2026-06-30 02:14- CWE-416 - Use After Free
| URL | Tags |
|---|---|
| https://access.redhat.com/errata/RHSA-2026:26573 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/security/cve/CVE-2026-13595 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2494101 | issue-trackingx_refsource_REDHAT |
| https://github.com/util-linux/util-linux/commit/c… |
| Vendor | Product | Version | |
|---|---|---|---|
| Red Hat | Red Hat Hardened Images |
Unaffected:
2.42.2-1.hum1 , < *
(rpm)
cpe:/a:redhat:hummingbird:1 |
|
| Red Hat | Red Hat Enterprise Linux 10 |
cpe:/o:redhat:enterprise_linux:10 |
|
| Red Hat | Red Hat Enterprise Linux 7 |
cpe:/o:redhat:enterprise_linux:7 |
|
| Red Hat | Red Hat Enterprise Linux 8 |
cpe:/o:redhat:enterprise_linux:8 |
|
| Red Hat | Red Hat Enterprise Linux 9 |
cpe:/o:redhat:enterprise_linux:9 |
|
| Red Hat | Red Hat OpenShift Container Platform 4 |
cpe:/a:redhat:openshift:4 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-13595",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T13:50:15.269617Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T13:50:26.043Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:hummingbird:1"
],
"defaultStatus": "affected",
"packageName": "util-linux-main",
"product": "Red Hat Hardened Images",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "2.42.2-1.hum1",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "affected",
"packageName": "util-linux",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "affected",
"packageName": "util-linux",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "affected",
"packageName": "util-linux",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"packageName": "util-linux",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"packageName": "rhcos",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
}
],
"credits": [
{
"lang": "en",
"value": "Red Hat would like to thank Thai Duong (Calif.io in collaboration with Claude and Anthropic Research) for reporting this issue."
}
],
"datePublic": "2026-05-07T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the libblkid library of util-linux. During nested partition probing, the BSD, Minix, Solaris x86, and UnixWare partition probers cache a raw pointer to a parent partition entry in a dynamically allocated array. When subsequent partition additions cause the array to be reallocated, this pointer becomes stale, leading to a heap use-after-free read. An attacker who can present a crafted block device image (for example, via USB insertion or a loop-mounted disk image) can trigger this flaw without user interaction, as libblkid is invoked automatically by udev/udisks as root on block-device hot-plug events. This could lead to limited information disclosure or denial of service."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Moderate"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T02:14:09.471Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "RHSA-2026:26573",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26573"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-13595"
},
{
"name": "RHBZ#2494101",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2494101"
},
{
"url": "https://github.com/util-linux/util-linux/commit/c0186f14fbdb02f64c8e0ba701ce727ea764ff4c"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-07T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-05-07T00:00:00.000Z",
"value": "Made public."
}
],
"title": "Util-linux: util-linux: heap use-after-free in libblkid nested partition probing",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
},
"x_redhatCweChain": "CWE-416: Use After Free"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2026-13595",
"datePublished": "2026-06-29T08:06:09.059Z",
"dateReserved": "2026-06-29T07:20:52.583Z",
"dateUpdated": "2026-06-30T02:14:09.471Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-13368 (GCVE-0-2026-13368)
Vulnerability from cvelistv5 – Published: 2026-07-02 23:06 – Updated: 2026-07-07 03:56- CWE-416 - Use After Free
| URL | Tags |
|---|---|
| https://www.watchguard.com/wgrd-psirt/advisory/wg… | vendor-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| WatchGuard | Fireware OS |
Affected:
11.10.2 , ≤ 11.12.4+541730
(semver)
Unaffected: 12.0 , ≤ 12.12 (semver) Unaffected: 12.5 , ≤ 12.5.18 (semver) Affected: 2025.1 , ≤ 2026.2 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-13368",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-06T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T03:56:35.031Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Fireware OS",
"vendor": "WatchGuard",
"versions": [
{
"lessThanOrEqual": "11.12.4+541730",
"status": "affected",
"version": "11.10.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "12.12",
"status": "unaffected",
"version": "12.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "12.5.18",
"status": "unaffected",
"version": "12.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "2026.2",
"status": "affected",
"version": "2025.1",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:watchguard:fireware_os:*:*:*:*:*:*:*:11.0",
"versionEndIncluding": "11.12.4+541730",
"versionStartIncluding": "11.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:watchguard:fireware_os:*:*:*:*:*:*:*:2025.1",
"versionEndIncluding": "2026.2",
"versionStartIncluding": "2025.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Cody Sixteen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "WatchGuard Fireware OS contains a race condition leading to a use-after-free vulnerability in LDAP authentication for the Mobile User VPN with IKEv2. A remote unauthenticated attacker could exploit this vulnerability to execute arbitrary code in the context of the iked process on Fireboxes that have a Mobile VPN with IKEv2 configured to use an external LDAP authentication server.\u003cbr\u003e\u003cbr\u003eThis vulnerability affects Fireware OS 11.0 up to and including 11.12.4_Update1, 12.0 up to and including 12.12 and 2025.1 up to and including 2026.2.\u003cbr\u003e"
}
],
"value": "WatchGuard Fireware OS contains a race condition leading to a use-after-free vulnerability in LDAP authentication for the Mobile User VPN with IKEv2. A remote unauthenticated attacker could exploit this vulnerability to execute arbitrary code in the context of the iked process on Fireboxes that have a Mobile VPN with IKEv2 configured to use an external LDAP authentication server.\n\nThis vulnerability affects Fireware OS 11.0 up to and including 11.12.4_Update1, 12.0 up to and including 12.12 and 2025.1 up to and including 2026.2."
}
],
"impacts": [
{
"capecId": "CAPEC-26",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-26 Leveraging Race Conditions"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 9.2,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-02T23:06:32.928Z",
"orgId": "5d1c2695-1a31-4499-88ae-e847036fd7e3",
"shortName": "WatchGuard"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2026-00023"
}
],
"source": {
"advisory": "WGSA-2026-00023",
"defect": [
"FBX-32231"
],
"discovery": "EXTERNAL"
},
"title": "WatchGuard Firebox Race Condition and Use-After-Free in Mobile VPN with IKEv2 LDAP Authentication",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "5d1c2695-1a31-4499-88ae-e847036fd7e3",
"assignerShortName": "WatchGuard",
"cveId": "CVE-2026-13368",
"datePublished": "2026-07-02T23:06:32.928Z",
"dateReserved": "2026-06-25T19:00:06.688Z",
"dateUpdated": "2026-07-07T03:56:35.031Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-13129 (GCVE-0-2026-13129)
Vulnerability from cvelistv5 – Published: 2026-07-08 07:36 – Updated: 2026-07-08 13:20- CWE-416 - Use after free
| Vendor | Product | Version | |
|---|---|---|---|
| Foxit Software Inc. | Foxit PDF Editor |
Affected:
Versions 2026.1.1 and earlier
Affected: Versions 14.0.4 and earlier Affected: Versions 13.2.4 and earlier |
|
| Foxit Software Inc. | Foxit PDF Reader |
Affected:
Versions 2026.1.1 and earlier
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-13129",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-08T13:20:17.240504Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T13:20:30.258Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "Foxit PDF Editor",
"vendor": "Foxit Software Inc.",
"versions": [
{
"status": "affected",
"version": "Versions 2026.1.1 and earlier"
},
{
"status": "affected",
"version": "Versions 14.0.4 and earlier"
},
{
"status": "affected",
"version": "Versions 13.2.4 and earlier"
}
]
},
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "Foxit PDF Reader",
"vendor": "Foxit Software Inc.",
"versions": [
{
"status": "affected",
"version": "Versions 2026.1.1 and earlier"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Anonymous working with TrendAI Zero Day Initiative"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "When the application opens a PDF file, JavaScript uses the damaged field tree to trigger field traversal, resulting in the program holding an invalid form object when accessing the field property path. Eventually, the application crashes due to reading an invalid pointer."
}
],
"value": "When the application opens a PDF file, JavaScript uses the damaged field tree to trigger field traversal, resulting in the program holding an invalid form object when accessing the field property path. Eventually, the application crashes due to reading an invalid pointer."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Potential arbitrary code execution"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use after free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T07:36:30.034Z",
"orgId": "14984358-7092-470d-8f34-ade47a7658a2",
"shortName": "Foxit"
},
"references": [
{
"url": "https://www.foxit.com/support/security-bulletins.html"
}
],
"title": "Foxit PDF Editor/Reader Annotation Use-After-Free Remote Code Execution Vulnerability",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "14984358-7092-470d-8f34-ade47a7658a2",
"assignerShortName": "Foxit",
"cveId": "CVE-2026-13129",
"datePublished": "2026-07-08T07:36:30.034Z",
"dateReserved": "2026-06-24T03:01:54.524Z",
"dateUpdated": "2026-07-08T13:20:30.258Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-13128 (GCVE-0-2026-13128)
Vulnerability from cvelistv5 – Published: 2026-07-08 07:36 – Updated: 2026-07-08 12:14- CWE-416 - Use after free
| Vendor | Product | Version | |
|---|---|---|---|
| Foxit Software Inc. | Foxit PDF Editor |
Affected:
Versions 2026.1.1 and earlier
|
|
| Foxit Software Inc. | Foxit PDF Reader |
Affected:
Versions 2026.1.1 and earlier
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-13128",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-08T12:14:16.115665Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T12:14:25.870Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "Foxit PDF Editor",
"vendor": "Foxit Software Inc.",
"versions": [
{
"status": "affected",
"version": "Versions 2026.1.1 and earlier"
}
]
},
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "Foxit PDF Reader",
"vendor": "Foxit Software Inc.",
"versions": [
{
"status": "affected",
"version": "Versions 2026.1.1 and earlier"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Anonymous working with TrendAI Zero Day Initiative"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Embedding JavaScript within a PDF file will cause the page to be deleted. Subsequent scripts will continue to access the relevant properties of the document view, eventually leading to the crash of the application."
}
],
"value": "Embedding JavaScript within a PDF file will cause the page to be deleted. Subsequent scripts will continue to access the relevant properties of the document view, eventually leading to the crash of the application."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Potential arbitrary code execution"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use after free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T07:36:34.775Z",
"orgId": "14984358-7092-470d-8f34-ade47a7658a2",
"shortName": "Foxit"
},
"references": [
{
"url": "https://www.foxit.com/support/security-bulletins.html"
}
],
"title": "Foxit PDF Editor/Reader Doc Object Use-After-Free Remote Code Execution Vulnerability",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "14984358-7092-470d-8f34-ade47a7658a2",
"assignerShortName": "Foxit",
"cveId": "CVE-2026-13128",
"datePublished": "2026-07-08T07:36:34.775Z",
"dateReserved": "2026-06-24T03:01:51.769Z",
"dateUpdated": "2026-07-08T12:14:25.870Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-13127 (GCVE-0-2026-13127)
Vulnerability from cvelistv5 – Published: 2026-07-08 07:36 – Updated: 2026-07-08 12:13- CWE-416 - Use after free
| Vendor | Product | Version | |
|---|---|---|---|
| Foxit Software Inc. | Foxit PDF Editor |
Affected:
Versions 2026.1.1 and earlier
Affected: Versions 14.0.4 and earlier Affected: Versions 13.2.4 and earlier |
|
| Foxit Software Inc. | Foxit PDF Reader |
Affected:
Versions 2026.1.1 and earlier
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-13127",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-08T12:13:51.030975Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T12:13:59.482Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "Foxit PDF Editor",
"vendor": "Foxit Software Inc.",
"versions": [
{
"status": "affected",
"version": "Versions 2026.1.1 and earlier"
},
{
"status": "affected",
"version": "Versions 14.0.4 and earlier"
},
{
"status": "affected",
"version": "Versions 13.2.4 and earlier"
}
]
},
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "Foxit PDF Reader",
"vendor": "Foxit Software Inc.",
"versions": [
{
"status": "affected",
"version": "Versions 2026.1.1 and earlier"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Anonymous working with TrendAI Zero Day Initiative"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The application opens the PDF file. JavaScript then rewrites the document to modify the page structure, resulting in the invalidation of the page objects. However, the thumbnails still use the invalid page objects, ultimately causing the application to crash."
}
],
"value": "The application opens the PDF file. JavaScript then rewrites the document to modify the page structure, resulting in the invalidation of the page objects. However, the thumbnails still use the invalid page objects, ultimately causing the application to crash."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Potential arbitrary code execution"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use after free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T07:36:36.349Z",
"orgId": "14984358-7092-470d-8f34-ade47a7658a2",
"shortName": "Foxit"
},
"references": [
{
"url": "https://www.foxit.com/support/security-bulletins.html"
}
],
"title": "Foxit PDF Editor/Reader Annotation Use-After-Free Remote Code Execution Vulnerability",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "14984358-7092-470d-8f34-ade47a7658a2",
"assignerShortName": "Foxit",
"cveId": "CVE-2026-13127",
"datePublished": "2026-07-08T07:36:36.349Z",
"dateReserved": "2026-06-24T03:01:48.781Z",
"dateUpdated": "2026-07-08T12:13:59.482Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-13126 (GCVE-0-2026-13126)
Vulnerability from cvelistv5 – Published: 2026-07-08 07:36 – Updated: 2026-07-08 12:13- CWE-416 - Use after free
| Vendor | Product | Version | |
|---|---|---|---|
| Foxit Software Inc. | Foxit PDF Editor |
Affected:
Versions 2026.1.1 and earlier
Affected: Versions 14.0.4 and earlier |
|
| Foxit Software Inc. | Foxit PDF Reader |
Affected:
Versions 2026.1.1 and earlier
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-13126",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-08T12:12:57.219611Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T12:13:27.791Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "Foxit PDF Editor",
"vendor": "Foxit Software Inc.",
"versions": [
{
"status": "affected",
"version": "Versions 2026.1.1 and earlier"
},
{
"status": "affected",
"version": "Versions 14.0.4 and earlier"
}
]
},
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "Foxit PDF Reader",
"vendor": "Foxit Software Inc.",
"versions": [
{
"status": "affected",
"version": "Versions 2026.1.1 and earlier"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Anonymous working with TrendAI Zero Day Initiative"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The embedded JavaScript in the PDF deleted the pages, making the object invalid. The application attempted to perform a write operation on the invalid pop-up annotations, resulting in the program crashing."
}
],
"value": "The embedded JavaScript in the PDF deleted the pages, making the object invalid. The application attempted to perform a write operation on the invalid pop-up annotations, resulting in the program crashing."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Potential arbitrary code execution"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use after free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T07:40:47.204Z",
"orgId": "14984358-7092-470d-8f34-ade47a7658a2",
"shortName": "Foxit"
},
"references": [
{
"url": "https://www.foxit.com/support/security-bulletins.html"
}
],
"title": "Foxit PDF Editor/Reader Annotation Use-After-Free Remote Code Execution Vulnerability",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "14984358-7092-470d-8f34-ade47a7658a2",
"assignerShortName": "Foxit",
"cveId": "CVE-2026-13126",
"datePublished": "2026-07-08T07:36:37.927Z",
"dateReserved": "2026-06-24T03:01:45.197Z",
"dateUpdated": "2026-07-08T12:13:27.791Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12921 (GCVE-0-2026-12921)
Vulnerability from cvelistv5 – Published: 2026-06-25 17:57 – Updated: 2026-06-25 18:31- CWE-416 - Use after free
| URL | Tags |
|---|---|
| https://www.cisa.gov/news-events/ics-advisories/i… | government-resource |
| Vendor | Product | Version | |
|---|---|---|---|
| AzeoTech | DAQFactory |
Affected:
0 , ≤ 21.1
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12921",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-25T18:30:50.110380Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T18:31:02.699Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "DAQFactory",
"vendor": "AzeoTech",
"versions": [
{
"lessThanOrEqual": "21.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rocco Calvi (@TecR0c) with TecSecurity"
},
{
"lang": "en",
"type": "finder",
"value": "rgod working with TrendAI Zero Day Initiative"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn AzeoTech DAQFactory versions 21.1 and prior, a Use After Free vulnerability can be exploited by an attacker using specially crafted .ctl files which can result in code execution.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "In AzeoTech DAQFactory versions 21.1 and prior, a Use After Free vulnerability can be exploited by an attacker using specially crafted .ctl files which can result in code execution."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use after free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T17:57:54.822Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-169-02"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Use after free in AzeoTech DAQFactory",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cul\u003e\u003cli\u003eUsers are discouraged from using documents from unknown/untrusted sources.\u003c/li\u003e\u003cli\u003eUsers are encouraged to store .ctl files in a folder only writeable by admin-level users.\u003c/li\u003e\u003cli\u003eUsers are encouraged to operate in \u201cSafe Mode\u201d when loading documents that have been out of their control.\u003c/li\u003e\u003cli\u003eUsers are encouraged to apply a document editing password to their documents.\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "* Users are discouraged from using documents from unknown/untrusted sources.\n * Users are encouraged to store .ctl files in a folder only writeable by admin-level users.\n * Users are encouraged to operate in \u201cSafe Mode\u201d when loading documents that have been out of their control.\n * Users are encouraged to apply a document editing password to their documents."
}
],
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2026-12921",
"datePublished": "2026-06-25T17:57:54.822Z",
"dateReserved": "2026-06-22T16:34:48.169Z",
"dateUpdated": "2026-06-25T18:31:02.699Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12706 (GCVE-0-2026-12706)
Vulnerability from cvelistv5 – Published: 2026-06-19 10:55 – Updated: 2026-06-22 19:28- CWE-416 - Use After Free
| URL | Tags |
|---|---|
| https://access.redhat.com/security/cve/CVE-2026-12706 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2490710 | issue-trackingx_refsource_REDHAT |
| https://lists.ffmpeg.org/archives/list/ffmpeg-dev… | |
| https://patchwork.ffmpeg.org/project/ffmpeg/patch… |
| Vendor | Product | Version | |
|---|---|---|---|
| Red Hat | Red Hat Enterprise Linux AI (RHEL AI) 3 |
cpe:/a:redhat:enterprise_linux_ai:3 |
|
| Red Hat | Red Hat OpenShift AI (RHOAI) |
cpe:/a:redhat:openshift_ai |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12706",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-22T19:27:58.329322Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T19:28:06.450Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:enterprise_linux_ai:3"
],
"defaultStatus": "affected",
"packageName": "ffmpeg",
"product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:enterprise_linux_ai:3"
],
"defaultStatus": "unaffected",
"packageName": "nv-codec-headers",
"product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:enterprise_linux_ai:3"
],
"defaultStatus": "affected",
"packageName": "rhelai3/bootc-aws-cuda-rhel9",
"product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:enterprise_linux_ai:3"
],
"defaultStatus": "affected",
"packageName": "rhelai3/bootc-azure-cuda-rhel9",
"product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:enterprise_linux_ai:3"
],
"defaultStatus": "affected",
"packageName": "rhelai3/bootc-azure-rocm-rhel9",
"product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:enterprise_linux_ai:3"
],
"defaultStatus": "affected",
"packageName": "rhelai3/bootc-cuda-rhel9",
"product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:enterprise_linux_ai:3"
],
"defaultStatus": "affected",
"packageName": "rhelai3/bootc-gcp-cuda-rhel9",
"product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:enterprise_linux_ai:3"
],
"defaultStatus": "affected",
"packageName": "rhelai3/bootc-rocm-rhel9",
"product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift_ai"
],
"defaultStatus": "unaffected",
"packageName": "rhoai/odh-openvino-model-server-rhel9",
"product": "Red Hat OpenShift AI (RHOAI)",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift_ai"
],
"defaultStatus": "affected",
"packageName": "rhoai/odh-vllm-gaudi-rhel9",
"product": "Red Hat OpenShift AI (RHOAI)",
"vendor": "Red Hat"
}
],
"credits": [
{
"lang": "en",
"value": "Upstream acknowledges Seung Min Shin as the original reporter."
}
],
"datePublic": "2026-05-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A use-after-free vulnerability was found in FFmpeg\u0027s RASC video decoder. The decode_move() function initializes a read pointer into a decompressed buffer, but a subsequent reallocation of that same buffer during move-table processing leaves the pointer dangling. An attacker could exploit this by providing a specially crafted AVI file containing a malicious RASC video stream. When a user opens or plays the file, the decoder reads from freed heap memory, which could lead to a denial of service (crash)."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Moderate"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T11:00:32.073Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-12706"
},
{
"name": "RHBZ#2490710",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2490710"
},
{
"url": "https://lists.ffmpeg.org/archives/list/ffmpeg-devel@ffmpeg.org/message/TTRIJZA7UL6KJTEDMMBGZPLLJERJ3EFX/"
},
{
"url": "https://patchwork.ffmpeg.org/project/ffmpeg/patch/177766314111.63.10674887811034989327@29965ddac10e/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-02T06:59:55.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-05-01T00:00:00.000Z",
"value": "Made public."
}
],
"title": "Ffmpeg: ffmpeg: heap use-after-free read in rasc decoder decode_move()",
"workarounds": [
{
"lang": "en",
"value": "If the RASC decoder is not needed, it can be disabled at build time with --disable-decoder=rasc. There is no runtime workaround that disables the decoder without rebuilding FFmpeg."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
},
"x_redhatCweChain": "CWE-416: Use After Free"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2026-12706",
"datePublished": "2026-06-19T10:55:03.634Z",
"dateReserved": "2026-06-19T10:26:41.217Z",
"dateUpdated": "2026-06-22T19:28:06.450Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Strategy: Language Selection
Choose a language that provides automatic memory management.
Mitigation
Strategy: Attack Surface Reduction
When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
No CAPEC attack patterns related to this CWE.