CVE-2026-6068
9.6 CRITICALNASM contains a heap use after free vulnerability in response file (-@) processing where a dangling pointer to freed memory is stored in ...
Published: 2026-04-10 · Last updated: 2026-05-26
Severity and scoring
- CVSS
- 9.6 CRITICAL
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
- CWE
- CWE-416
Affected products
| Vendor | Product |
|---|---|
| nasm | netwide_assembler |
Description
NASM contains a heap use after free vulnerability in response file (-@) processing where a dangling pointer to freed memory is stored in the global depend_file and later dereferenced, as the response-file buffer is freed before the pointer is used, allowing for data corruption or remote code execution.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-6068
- [Exploit reference]https://github.com/netwide-assembler/nasm/issues/222
- [Exploit reference]https://sekai.team/blog/nasm-cve-disclosure/cve-2026-6068
Related CVEs
Same CWE
- CVE-2026-41158 — Software installed and run as a non-privileged user may conduct GPU system calls to write to arbitrary freed physical pages
- CVE-2026-12035 — Use after free in Views in Google Chrome on Windows prior to 149.0.7827.115 allowed a remote attacker to potentially exploit heap corrupt... (8.8 HIGH)
- CVE-2026-12029 — Use after free in Video in Google Chrome on Windows prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer pr... (8.3 HIGH)
- CVE-2026-12028 — Use after free in GPU in Google Chrome on Android prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer proc... (8.3 HIGH)
- CVE-2026-12023 — Use after free in GPU in Google Chrome on Mac prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process ... (8.3 HIGH)