CWE-825
Expired Pointer Dereference
Description
The product dereferences a pointer that contains a location for memory that was previously valid, but is no longer valid.
Hierarchy (View 1000)
CVEs mapped to this weakness (19)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-49794 | Cri | 0.59 | 9.1 | 0.01 | Jun 16, 2025 | A use-after-free vulnerability was found in libxml2. This issue occurs when parsing XPath elements under certain circumstances when the XML schematron has the <sch:name path="..."/> schema elements. This flaw allows a malicious actor to craft a malicious XML document used as… | ||
| CVE-2026-34001 | Hig | 0.51 | 7.8 | 0.00 | Apr 23, 2026 | A flaw was found in the X.Org X server. This use-after-free vulnerability occurs in the XSYNC fence triggering logic, specifically within the miSyncTriggerFence() function. An attacker with access to the X11 server can exploit this without user interaction, leading to a server… | ||
| CVE-2026-8854 | Hig | 0.49 | 7.5 | 0.00 | May 26, 2026 | IBM HTTP Server 8.5, and 9.0 is vulnerable to denial of service via the optional module mod_mem_cache. | ||
| CVE-2025-49795 | Hig | 0.49 | 7.5 | 0.00 | Jun 16, 2025 | A NULL pointer dereference vulnerability was found in libxml2 when processing XPath XML expressions. This flaw allows an attacker to craft a malicious XML input to libxml2, leading to a denial of service. | ||
| CVE-2026-7111 | Hig | 0.48 | 8.4 | 0.00 | Apr 29, 2026 | Text::CSV_XS versions before 1.62 for Perl have a use-after-free when registered callbacks extend the Perl argument stack, which may enable type confusion or memory corruption. The Parse, print, getline, and getline_all methods invoke registered callbacks (for example… | ||
| CVE-2024-45105 | Med | 0.44 | 6.7 | 0.00 | Sep 13, 2024 | An internal product security audit discovered a UEFI SMM (System Management Mode) callout vulnerability in some ThinkSystem servers that could allow a local attacker with elevated privileges to execute arbitrary code. | ||
| CVE-2026-2436 | Med | 0.42 | 6.5 | 0.00 | Mar 26, 2026 | A flaw was found in libsoup's SoupServer. A remote attacker could exploit a use-after-free vulnerability where the `soup_server_disconnect()` function frees connection objects prematurely, even if a TLS handshake is still pending. If the handshake completes after the connection… | ||
| CVE-2026-32873 | Hig | 0.42 | 7.5 | 0.01 | Mar 20, 2026 | ewe is a Gleam web server. Versions 0.8.0 through 3.0.4 contain a bug in the handle_trailers function where rejected trailer headers (forbidden or undeclared) cause an infinite loop. When handle_trailers encounters such a trailer, three code paths (lines 520, 523, 526) recurse… | ||
| CVE-2026-5165 | Med | 0.37 | 6.7 | 0.00 | Mar 30, 2026 | A flaw was found in virtio-win, specifically within the VirtIO Block (BLK) device. When the device undergoes a reset, it fails to properly manage memory, resulting in a use-after-free vulnerability. This issue could allow a local attacker to corrupt system memory, potentially… | ||
| CVE-2026-42014 | Med | 0.36 | 6.6 | 0.00 | Jun 16, 2026 | A flaw was found in GnuTLS. The `gnutls_pkcs11_token_set_pin` function, used for changing the Security Officer PIN, can lead to a use-after-free vulnerability. This occurs when an attacker attempts to change the PIN with a NULL old PIN for a token that lacks a protected… | ||
| CVE-2025-10911 | Med | 0.36 | 5.5 | 0.00 | Sep 25, 2025 | A use-after-free vulnerability was found in libxslt while parsing xsl nodes that may lead to the dereference of expired pointers and application crash. | ||
| CVE-2025-61664 | Med | 0.32 | 4.9 | 0.00 | Nov 18, 2025 | A vulnerability in the GRUB2 bootloader has been identified in the normal module. This flaw, a memory Use After Free issue, occurs because the normal_exit command is not properly unregistered when its related module is unloaded. An attacker can exploit this condition by invoking… | ||
| CVE-2025-61663 | Med | 0.32 | 4.9 | 0.00 | Nov 18, 2025 | A vulnerability has been identified in the GRUB2 bootloader's normal command that poses an immediate Denial of Service (DoS) risk. This flaw is a Use-after-Free issue, caused because the normal command is not properly unregistered when the module is unloaded. An attacker who can… | ||
| CVE-2025-54771 | Med | 0.32 | 4.9 | 0.00 | Nov 18, 2025 | A use-after-free vulnerability has been identified in the GNU GRUB (Grand Unified Bootloader). The flaw occurs because the file-closing process incorrectly retains a memory pointer, leaving an invalid reference to a file system structure. An attacker could exploit this… | ||
| CVE-2025-54770 | Med | 0.32 | 4.9 | 0.00 | Nov 18, 2025 | A vulnerability has been identified in the GRUB2 bootloader's network module that poses an immediate Denial of Service (DoS) risk. This flaw is a Use-after-Free issue, caused because the net_set_vlan command is not properly unregistered when the network module is unloaded from… | ||
| CVE-2026-35094 | Low | 0.21 | 3.3 | 0.00 | Apr 1, 2026 | A flaw was found in libinput. An attacker capable of deploying a Lua plugin file in specific system directories can exploit a dangling pointer vulnerability. This occurs when a garbage collection cleanup function is called, leaving a pointer that can then be printed to system… | ||
| CVE-2026-54778 | 0.00 | — | — | Jun 19, 2026 | ### Impact Race condition in POSIX peer identity resolution may attribute one connection’s identity to another (getpwuid/getgrgid non-reentrant) and may crash the host process under contention. ### Patches Fixed in CoreWCF v1.8.1 and v1.9.1 ### Workarounds Restrict UDS… | |||
| CVE-2025-12119 | 0.00 | — | 0.00 | Nov 18, 2025 | A mongoc_bulk_operation_t may read invalid memory if large options are passed. | |||
| CVE-2021-39228 | — | 0.00 | — | 0.01 | Sep 17, 2021 | Tremor is an event processing system for unstructured data. A vulnerability exists between versions 0.7.2 and 0.11.6. This vulnerability is a memory safety Issue when using `patch` or `merge` on `state` and assign the result back to `state`. In this case, affected versions of… |
- risk 0.59cvss 9.1epss 0.01
A use-after-free vulnerability was found in libxml2. This issue occurs when parsing XPath elements under certain circumstances when the XML schematron has the <sch:name path="..."/> schema elements. This flaw allows a malicious actor to craft a malicious XML document used as…
- risk 0.51cvss 7.8epss 0.00
A flaw was found in the X.Org X server. This use-after-free vulnerability occurs in the XSYNC fence triggering logic, specifically within the miSyncTriggerFence() function. An attacker with access to the X11 server can exploit this without user interaction, leading to a server…
- risk 0.49cvss 7.5epss 0.00
IBM HTTP Server 8.5, and 9.0 is vulnerable to denial of service via the optional module mod_mem_cache.
- risk 0.49cvss 7.5epss 0.00
A NULL pointer dereference vulnerability was found in libxml2 when processing XPath XML expressions. This flaw allows an attacker to craft a malicious XML input to libxml2, leading to a denial of service.
- risk 0.48cvss 8.4epss 0.00
Text::CSV_XS versions before 1.62 for Perl have a use-after-free when registered callbacks extend the Perl argument stack, which may enable type confusion or memory corruption. The Parse, print, getline, and getline_all methods invoke registered callbacks (for example…
- risk 0.44cvss 6.7epss 0.00
An internal product security audit discovered a UEFI SMM (System Management Mode) callout vulnerability in some ThinkSystem servers that could allow a local attacker with elevated privileges to execute arbitrary code.
- risk 0.42cvss 6.5epss 0.00
A flaw was found in libsoup's SoupServer. A remote attacker could exploit a use-after-free vulnerability where the `soup_server_disconnect()` function frees connection objects prematurely, even if a TLS handshake is still pending. If the handshake completes after the connection…
- risk 0.42cvss 7.5epss 0.01
ewe is a Gleam web server. Versions 0.8.0 through 3.0.4 contain a bug in the handle_trailers function where rejected trailer headers (forbidden or undeclared) cause an infinite loop. When handle_trailers encounters such a trailer, three code paths (lines 520, 523, 526) recurse…
- risk 0.37cvss 6.7epss 0.00
A flaw was found in virtio-win, specifically within the VirtIO Block (BLK) device. When the device undergoes a reset, it fails to properly manage memory, resulting in a use-after-free vulnerability. This issue could allow a local attacker to corrupt system memory, potentially…
- risk 0.36cvss 6.6epss 0.00
A flaw was found in GnuTLS. The `gnutls_pkcs11_token_set_pin` function, used for changing the Security Officer PIN, can lead to a use-after-free vulnerability. This occurs when an attacker attempts to change the PIN with a NULL old PIN for a token that lacks a protected…
- risk 0.36cvss 5.5epss 0.00
A use-after-free vulnerability was found in libxslt while parsing xsl nodes that may lead to the dereference of expired pointers and application crash.
- risk 0.32cvss 4.9epss 0.00
A vulnerability in the GRUB2 bootloader has been identified in the normal module. This flaw, a memory Use After Free issue, occurs because the normal_exit command is not properly unregistered when its related module is unloaded. An attacker can exploit this condition by invoking…
- risk 0.32cvss 4.9epss 0.00
A vulnerability has been identified in the GRUB2 bootloader's normal command that poses an immediate Denial of Service (DoS) risk. This flaw is a Use-after-Free issue, caused because the normal command is not properly unregistered when the module is unloaded. An attacker who can…
- risk 0.32cvss 4.9epss 0.00
A use-after-free vulnerability has been identified in the GNU GRUB (Grand Unified Bootloader). The flaw occurs because the file-closing process incorrectly retains a memory pointer, leaving an invalid reference to a file system structure. An attacker could exploit this…
- risk 0.32cvss 4.9epss 0.00
A vulnerability has been identified in the GRUB2 bootloader's network module that poses an immediate Denial of Service (DoS) risk. This flaw is a Use-after-Free issue, caused because the net_set_vlan command is not properly unregistered when the network module is unloaded from…
- risk 0.21cvss 3.3epss 0.00
A flaw was found in libinput. An attacker capable of deploying a Lua plugin file in specific system directories can exploit a dangling pointer vulnerability. This occurs when a garbage collection cleanup function is called, leaving a pointer that can then be printed to system…
- CVE-2026-54778Jun 19, 2026risk 0.00cvss —epss —
### Impact Race condition in POSIX peer identity resolution may attribute one connection’s identity to another (getpwuid/getgrgid non-reentrant) and may crash the host process under contention. ### Patches Fixed in CoreWCF v1.8.1 and v1.9.1 ### Workarounds Restrict UDS…
- CVE-2025-12119Nov 18, 2025risk 0.00cvss —epss 0.00
A mongoc_bulk_operation_t may read invalid memory if large options are passed.
- CVE-2021-39228Sep 17, 2021risk 0.00cvss —epss 0.01
Tremor is an event processing system for unstructured data. A vulnerability exists between versions 0.7.2 and 0.11.6. This vulnerability is a memory safety Issue when using `patch` or `merge` on `state` and assign the result back to `state`. In this case, affected versions of…