| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| The UNIX editor Vim prior to version 9.1.0678 has a use-after-free error in argument list handling. When adding a new file to the argument list, this triggers `Buf*` autocommands. If in such an autocommand the buffer that was just opened is closed (including the window where it is shown), this causes the window structure to be freed which contains a reference to the argument list that we are actually modifying. Once the autocommands are completed, the references to the window and argument list are no longer valid and as such cause an use-after-free. Impact is low since the user must either intentionally add some unusual autocommands that wipe a buffer during creation (either manually or by sourcing a malicious plugin), but it will crash Vim. The issue has been fixed as of Vim patch v9.1.0678. |
| In the Linux kernel, the following vulnerability has been resolved:
zloop: fix KASAN use-after-free of tag set
When a zoned loop device, or zloop device, is removed, KASAN enabled
kernel reports "BUG KASAN use-after-free" in blk_mq_free_tag_set(). The
BUG happens because zloop_ctl_remove() calls put_disk(), which invokes
zloop_free_disk(). The zloop_free_disk() frees the memory allocated for
the zlo pointer. However, after the memory is freed, zloop_ctl_remove()
calls blk_mq_free_tag_set(&zlo->tag_set), which accesses the freed zlo.
Hence the KASAN use-after-free.
zloop_ctl_remove()
put_disk(zlo->disk)
put_device()
kobject_put()
...
zloop_free_disk()
kvfree(zlo)
blk_mq_free_tag_set(&zlo->tag_set)
To avoid the BUG, move the call to blk_mq_free_tag_set(&zlo->tag_set)
from zloop_ctl_remove() into zloop_free_disk(). This ensures that
the tag_set is freed before the call to kvfree(zlo). |
| Use after free in Windows Win32K - ICOMP allows an authorized attacker to elevate privileges locally. |
| Use after free in Windows Notification allows an authorized attacker to elevate privileges locally. |
| Use after free in Windows Connected Devices Platform Service allows an unauthorized attacker to execute code over a network. |
| Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally. |
| Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally. |
| Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. |
| Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally. |
| Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. |
| Use after free in Microsoft Windows Search Component allows an authorized attacker to elevate privileges locally. |
| Use after free in Windows Media allows an authorized attacker to elevate privileges locally. |
| Use after free in Kernel Streaming WOW Thunk Service Driver allows an authorized attacker to elevate privileges locally. |
| Concurrent execution using shared resource with improper synchronization ('race condition') in Workspace Broker allows an authorized attacker to elevate privileges locally. |
| Use after free in Windows Event Tracing allows an authorized attacker to elevate privileges locally. |
| Use after free in Windows Universal Plug and Play (UPnP) Device Host allows an authorized attacker to elevate privileges over an adjacent network. |
| Use after free in Microsoft MPEG-2 Video Extension allows an authorized attacker to execute code locally. |
| Use after free in Windows Connected Devices Platform Service allows an authorized attacker to elevate privileges locally. |
| Use after free in Windows KDC Proxy Service (KPSSVC) allows an unauthorized attacker to execute code over a network. |
| Use after free in Windows Notification allows an authorized attacker to elevate privileges locally. |
