< ciso
brief />
Tag Banner

All news with #use after free tag

20 articles

15-Year-Old Linux GhostLock Flaw Enables Root

🛡️ Researchers at Nebula Security disclosed GhostLock (CVE-2026-43499), a 15-year-old Linux kernel use-after-free that allows any logged-in user to gain root privileges on unpatched systems. The bug, present in mainstream distributions since 2011, requires only ordinary local threading calls and no network access. Nebula developed a 97% reliable exploit that also escapes containers and received $92,337 from Google's kernelCTF bounty. Patching is urgent, with early fixes having introduced a follow-up crash bug and distributions still rolling out the corrected kernel.
read more →

16-year KVM bug allows guest-to-host escape

🛡️ A critical KVM vulnerability, tracked as CVE-2026-53359 and nicknamed Januscape, lets an attacker with root in a guest VM execute code on the Linux host by exploiting a use-after-free in KVM's shadow MMU emulation on x86. Discovered by Hyunwoo Kim and present for 16 years, it affects both Intel and AMD servers and can enable host kernel panic, denial-of-service, or full RCE; some distros also allow local escalation via world-writable /dev/kvm. The Linux kernel was patched on June 16, but distribution rollouts may lag.
read more →

Januscape Linux kernel flaw enables VM escape

🛡️ A 16-year-old Linux kernel vulnerability called Januscape (CVE-2026-53359) allows guest-to-host escapes via a use-after-free in the KVM/x86 shadow MMU emulation. Discovered and detailed by researcher Hyunwoo Kim and patched in June 2026, it affects both Intel and AMD architectures and was used in Google's kvmCTF program. Unpatched multi-tenant hosts, especially with world-writable /dev/kvm, risk host takeover or denial-of-service.
read more →

Januscape: 16-year KVM flaw allows guest-to-host escape

🛡️ A long-standing use-after-free bug in Linux's KVM shadow MMU, tracked as CVE-2026-53359 and dubbed Januscape, lets a guest VM corrupt host shadow-page state and can reliably panic hosts. The public PoC triggers host crashes; the researcher reported an unreleased exploit that achieves full host code execution on Intel and AMD. Fixes were merged June 19, 2026 and backported to stable kernels on July 4, 2026; hosts with nested virtualization should be patched or have nesting disabled.
read more →

Bad Epoll kernel flaw lets local users become root

🛡️ A newly disclosed Linux kernel vulnerability, Bad Epoll (CVE-2026-46242), allows an ordinary local user to escalate privileges to root and affects Linux desktops, servers, and Android. The flaw is a use-after-free race in the epoll subsystem; the timing window is tiny but an exploit by researcher Jaeyoung Chung widens it and succeeds reliably. A fix is available upstream (commit a6dc643c6931) and distributions should backport it; kernels built on 6.4+ are affected unless patched.
read more →

Apple issues urgent iOS, macOS and Safari security updates

🔒 Apple released security updates for iOS, macOS, and Safari to address over three dozen vulnerabilities, including four WebKit flaws discovered with AI tools such as Anthropic Claude and OpenAI Codex Security. The fixes target memory corruption, out-of-bounds write, use-after-free, and other WebKit issues, plus several kernel-level bugs that could leak or corrupt memory. Updates are available for iOS 26.5.2, iPadOS 26.5.2, macOS Tahoe 26.5.2, and Safari 26.5.2, and Apple noted no active exploitation has been reported.
read more →

F5 issues patches for two critical NGINX flaws

🛡️ F5 released updates to fix two critical vulnerabilities in NGINX Open Source that can allow remote code execution. CVE-2026-42530 is a use-after-free in the HTTP/3 QUIC module and CVE-2026-42055 is a heap-based buffer overflow affecting proxy and gRPC modules when specific directives are set. Patches are available across NGINX Open Source, NGINX Plus, Gateway Fabric, Instance Manager, WAF, DoS modules and Ingress Controller versions. Mitigations include disabling HTTP/3 for CVE-2026-42530 and adjusting ignore_invalid_headers or large_client_header_buffers settings for CVE-2026-42055.
read more →

F5 issues out‑of‑band patches for critical NGINX flaws

🔒 F5 released out-of-band updates to fix multiple NGINX vulnerabilities, including two critical flaws in the ngx_http_v3_module and ngx_http_proxy_v2/_grpc modules that can lead to DoS or code execution. The bugs cause use‑after‑free or heap buffer overflow in worker processes and affect NGINX Plus, Open Source, Gateway Fabric, and Instance Manager. Mitigations include disabling HTTP/3 and adjusting header buffer directives until patches are applied.
read more →

Exim BDAT Use-After-Free 'Dead.Letter' Patch Released

🔒 Exim has issued emergency updates to fix CVE-2026-45185, dubbed Dead.Letter, a critical use-after-free in BDAT message body parsing that manifests when TLS is handled via GnuTLS. The flaw is triggered when a client sends a TLS close_notify during an active BDAT transfer and then follows up with a final cleartext byte on the same TCP connection, which can corrupt heap metadata and enable code execution. It affects Exim 4.97 through 4.99.2 built with USE_GNUTLS=yes and is fixed in 4.99.3; there are no mitigations, so administrators should apply the update immediately.
read more →

Foxit Reader and LibRaw Vulnerabilities — Talos Advisory

🔒 Cisco Talos disclosed a use-after-free flaw in Foxit Reader (TALOS-2026-2365 / CVE-2026-3779) exploitable via malicious PDF JavaScript, and six vulnerabilities in LibRaw including heap-based buffer overflows and integer overflows across multiple CVEs. All issues were patched by vendors following Cisco’s disclosure policy. Administrators should apply vendor updates and deploy Snort rules from Talos to detect exploitation.
read more →

CISA Adds CVE-2026-5281 to Known Exploited Vulnerabilities

🔔 CISA has added CVE-2026-5281, a Google Dawn use-after-free vulnerability, to its Known Exploited Vulnerabilities (KEV) Catalog after evidence of active exploitation. The listing invokes BOD 22-01 remediation requirements for Federal Civilian Executive Branch agencies, which must remediate by the specified due date. CISA strongly urges all organizations to prioritize timely remediation and strengthen vulnerability management, as use-after-free flaws are a common and impactful attack vector.
read more →

Google Patches Chrome Zero-Day CVE-2026-5281 Exploit

🔒 Google released updates for Chrome to fix 21 vulnerabilities, including a zero-day (CVE-2026-5281) that has been exploited in the wild. Dawn, the WebGPU implementation, contains a use-after-free bug allowing a remote attacker with access to the renderer process to execute arbitrary code via crafted HTML. Users should update to versions 146.0.7680.177/178 on Windows and macOS and 146.0.7680.177 on Linux, and ensure Chromium-based browsers receive vendor patches.
read more →

Google fixes fourth Chrome zero-day exploited in 2026

⚠️ Google released emergency updates to fix a fourth actively exploited Chrome zero-day, tracked as CVE-2026-5281. The issue is a use-after-free in Dawn, Chromium's implementation of the WebGPU standard, and can cause crashes, rendering problems, or data corruption. Patches are available on Stable Desktop for Windows, macOS (146.0.7680.177/178), and Linux (146.0.7680.177); rollouts may take days, but updates are immediately available when checking.
read more →

Talos Disclosures: Foxit, Epic Games, and MedDream Flaws

🔒 Cisco Talos disclosed multiple vulnerabilities affecting Foxit PDF Editor, the Epic Games Store installer, and MedDream PACS. The issues include installer privilege escalation, two use‑after‑free flaws in Foxit that can be triggered by crafted PDF JavaScript, and 21 reflected XSS vulnerabilities in MedDream. Vendors have issued patches under Cisco’s disclosure policy. Administrators should apply vendor updates and consider IDS/IPS signatures such as Snort to detect attempted exploitation.
read more →

Apple Issues Security Updates for Two WebKit Zero-Days

🔒 Apple released security updates across iOS, iPadOS, macOS, tvOS, watchOS, visionOS and Safari to address two WebKit vulnerabilities—CVE-2025-43529 and CVE-2025-14174—that have been exploited in the wild. One of the flaws was patched in Chrome earlier this week, and Apple credits Google TAG and its own SEAR team with discovery and reporting. The issues can lead to arbitrary code execution or memory corruption when processing malicious web content. Users and administrators should apply the listed OS and Safari updates immediately to mitigate active exploitation.
read more →

Apple patches two WebKit zero-days used in targeted attacks

🔒 Apple released emergency updates to patch two zero-day WebKit vulnerabilities — CVE-2025-43529 (use-after-free) and CVE-2025-14174 (memory corruption) — that were exploited in an 'extremely sophisticated' attack against targeted individuals. Both bugs affect devices running WebKit on iPhone and iPad and were discovered by Google’s Threat Analysis Group and Apple. Apple fixed the issues across iOS, iPadOS, macOS, tvOS, watchOS, visionOS and Safari and urges users to install updates promptly.
read more →

AzeoTech DAQFactory Multiple Memory-Corruption Flaws

🛡️ CISA warns of multiple memory-corruption vulnerabilities in AzeoTech DAQFactory (release 20.7 and prior) that can be triggered by specially crafted .ctl files. The flaws include out-of-bounds read/write, heap and stack overflows, use-after-free, type confusion, and access of uninitialized pointers; several have CVSS v4 scores up to 8.4. DAQFactory 21.1 addresses these issues and AzeoTech advises avoiding untrusted documents, restricting .ctl file permissions, and using Safe Mode when loading unverified files.
read more →

CISA Adds Two Vulnerabilities to Known-Exploited Catalog

🔒 CISA has added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2025-6218 (WinRAR path traversal) and CVE-2025-62221 (Microsoft Windows use-after-free). The agency cited evidence of active exploitation and emphasized that these flaws are frequent attack vectors posing significant risk to the federal enterprise. CISA reiterated that BOD 22-01 requires FCEB agencies to remediate cataloged CVEs by the required due dates and urged all organizations to prioritize timely remediation.
read more →

Google AI 'Big Sleep' Finds Five WebKit Flaws in Safari

🔒 Google’s AI agent Big Sleep reported five vulnerabilities in Apple’s WebKit used by Safari, including a buffer overflow, two memory-corruption issues, an unspecified crash flaw, and a use-after-free (CVE-2025-43429 through CVE-2025-43434). Apple issued patches across iOS 26.1, iPadOS 26.1, macOS Tahoe 26.1, tvOS 26.1, watchOS 26.1, visionOS 26.1 and Safari 26.1. Users are advised to install the updates promptly to mitigate crash and memory-corruption risks.
read more →

Redis 13-Year Use-After-Free Flaw Rated CVSS 10.0 Severity

⚠️ Redis disclosed a maximum-severity vulnerability, CVE-2025-49844 (RediShell), a use-after-free bug in its Lua scripting implementation that has been assigned a CVSS score of 10.0. An authenticated user can submit crafted Lua scripts to manipulate the garbage collector, trigger a use-after-free, and potentially achieve remote code execution on the host. The issue affects all Redis versions with Lua and was fixed in 6.2.20, 7.2.11, 7.4.6, 8.0.4, and 8.2.2 (released Oct 3, 2025). Administrators should immediately restrict EVAL/EVALSHA via ACLs, avoid exposing Redis instances to the internet, enforce strong authentication, and apply the patches without delay.
read more →