{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/double-free/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"id":"CVE-2026-31507"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-31507","double-free","memory corruption","denial of service"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eOn April 23, 2026, Microsoft published a security update guide addressing CVE-2026-31507, a double-free vulnerability residing in the net/smc (Sockets Multiplexing Controller) module of the Linux kernel. The vulnerability stems from a flaw in how the \u003ccode\u003etee()\u003c/code\u003e function handles the duplication of splice pipe buffers. Specifically, when \u003ccode\u003etee()\u003c/code\u003e duplicates a splice pipe buffer associated with the \u003ccode\u003esmc_spd_priv\u003c/code\u003e structure, it can lead to a double-free condition. This flaw could allow a local attacker to trigger memory corruption or a denial-of-service condition. While specific exploitation details are currently lacking, the nature of double-free vulnerabilities makes them a critical concern for system stability and security.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA local attacker gains access to the system.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious program that interacts with the net/smc module.\u003c/li\u003e\n\u003cli\u003eThe program triggers the \u003ccode\u003etee()\u003c/code\u003e function to duplicate a splice pipe buffer related to \u003ccode\u003esmc_spd_priv\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability, the same memory region associated with \u003ccode\u003esmc_spd_priv\u003c/code\u003e is freed twice.\u003c/li\u003e\n\u003cli\u003eThe double-free corrupts the heap metadata.\u003c/li\u003e\n\u003cli\u003eSubsequent memory allocations may lead to arbitrary code execution or denial-of-service.\u003c/li\u003e\n\u003cli\u003eThe attacker could leverage the memory corruption to escalate privileges.\u003c/li\u003e\n\u003cli\u003eSuccessful exploitation results in system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-31507 can lead to memory corruption, potentially enabling arbitrary code execution and privilege escalation. A more likely outcome is a denial-of-service condition, where the system becomes unstable or crashes due to heap corruption. The vulnerability affects systems utilizing the affected net/smc module. While the number of potential victims is unknown, the wide deployment of the Linux kernel makes this a significant concern.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security patch provided by Microsoft that addresses CVE-2026-31507 to mitigate the double-free vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor systems for unusual \u003ccode\u003etee()\u003c/code\u003e function calls within the \u003ccode\u003enet/smc\u003c/code\u003e module using a process creation rule with relevant command-line arguments and process ancestry.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-23T07:27:47Z","date_published":"2026-04-23T07:27:47Z","id":"/briefs/2024-05-cve-2026-31507/","summary":"CVE-2026-31507 is a double-free vulnerability in the net/smc module that occurs when the tee() function duplicates a splice pipe buffer, potentially leading to memory corruption and denial of service.","title":"CVE-2026-31507 Double-Free Vulnerability in net/smc","url":"https://feed.craftedsignal.io/briefs/2024-05-cve-2026-31507/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-33824"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-33824","windows","ike","double-free","remote-code-execution"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-33824 is a critical vulnerability affecting the Windows Internet Key Exchange (IKE) Extension. This double-free vulnerability enables an unauthenticated attacker to execute arbitrary code on a vulnerable system remotely. The vulnerability stems from improper memory management within the IKE service. Successful exploitation could lead to complete system compromise, making it a high-priority concern for defenders. Microsoft has assigned a CVSS v3.1 score of 9.8 to this vulnerability. This issue was reported to Microsoft and assigned CVE-2026-33824. The affected systems are those running the Windows IKE Extension without the necessary security update.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker sends a specially crafted IKE packet to the target system.\u003c/li\u003e\n\u003cli\u003eThe Windows IKE Extension processes the malicious IKE packet.\u003c/li\u003e\n\u003cli\u003eDue to a flaw in memory management, the IKE Extension attempts to free the same memory location twice (double-free).\u003c/li\u003e\n\u003cli\u003eThe double-free condition corrupts the heap memory.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the heap corruption to overwrite critical data structures.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of program execution flow.\u003c/li\u003e\n\u003cli\u003eThe attacker injects and executes arbitrary code within the context of the IKE service.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves remote code execution, potentially leading to complete system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-33824 allows a remote, unauthenticated attacker to execute arbitrary code on a vulnerable Windows system. Given the critical CVSS score of 9.8, the impact is severe. A compromised system could be used to steal sensitive data, establish a foothold for further network penetration, or cause a denial-of-service condition. Organizations that do not apply the patch released by Microsoft are at significant risk of compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security update released by Microsoft to patch CVE-2026-33824 on all affected Windows systems immediately. Refer to the Microsoft advisory \u003ca href=\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33824\"\u003ehttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33824\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious IKE packets targeting your Windows systems. Deploy the network connection rule below to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eEnable Windows event logging for the IKE service and deploy the process creation rule below to detect unexpected processes spawned by the IKE service.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-15T12:00:00Z","date_published":"2026-04-15T12:00:00Z","id":"/briefs/2026-04-ike-double-free/","summary":"A double free vulnerability in the Windows IKE Extension, tracked as CVE-2026-33824, allows an unauthenticated remote attacker to execute arbitrary code over the network.","title":"CVE-2026-33824: Windows IKE Extension Double Free Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-ike-double-free/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-26179"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","windows","kernel","double-free"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-26179 is a critical security vulnerability residing within the Windows Kernel. This double-free vulnerability allows an attacker with local access to elevate their privileges. Successful exploitation grants the attacker higher-level permissions on the compromised system. The vulnerability was reported to Microsoft and assigned a CVSS v3.1 score of 7.8, indicating a high severity. The vulnerability lies within the core operating system components, making it a significant threat to Windows-based environments. Exploitation of this vulnerability requires an attacker to have valid local credentials on the target system. The vulnerability was published on 2026-04-14.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial local access to a Windows system through legitimate credentials or by exploiting another vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious program designed to trigger the double-free condition in the Windows Kernel.\u003c/li\u003e\n\u003cli\u003eThe malicious program interacts with a vulnerable kernel function, likely through a specific system call (Nt*).\u003c/li\u003e\n\u003cli\u003eThe vulnerable kernel function attempts to free the same memory region twice due to a logical error.\u003c/li\u003e\n\u003cli\u003eThe double-free corrupts the kernel\u0026rsquo;s memory management structures, such as the heap metadata.\u003c/li\u003e\n\u003cli\u003eThe memory corruption allows the attacker to overwrite critical kernel data structures, such as process tokens or privilege attributes.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the process token of their own process, elevating their privileges to SYSTEM or another highly privileged account.\u003c/li\u003e\n\u003cli\u003eThe attacker now executes privileged commands and gains full control over the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-26179 allows a local attacker to elevate privileges to SYSTEM, the highest level of privilege on a Windows system. This grants the attacker complete control over the compromised machine, allowing them to install software, modify data, create new accounts, and access sensitive information. A successful privilege escalation can lead to a complete compromise of the confidentiality, integrity, and availability of the system. This vulnerability affects all Windows systems where the patch has not been applied.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security update provided by Microsoft to patch CVE-2026-26179 as soon as possible.\u003c/li\u003e\n\u003cli\u003eMonitor systems for unusual process creation events originating from user accounts, as this could be an indicator of exploit activity. Deploy the provided Sigma rule \u003ccode\u003eDetect Suspicious Process Token Modifications\u003c/code\u003e to identify potential privilege escalation attempts.\u003c/li\u003e\n\u003cli\u003eEnable process auditing and monitor for unusual system calls using tools like Sysmon to catch the initial exploitation attempts.\u003c/li\u003e\n\u003cli\u003eRegularly review and enforce the principle of least privilege to limit the impact of successful local exploits.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Double Free Vulnerability Exploitation\u003c/code\u003e to identify exploitation of double free vulnerabilities by monitoring process creation and memory allocation patterns.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-15T12:00:00Z","date_published":"2026-04-15T12:00:00Z","id":"/briefs/2026-04-cve-2026-26179-privesc/","summary":"CVE-2026-26179 is a double free vulnerability in the Windows Kernel, allowing a locally authenticated attacker to elevate privileges on the system.","title":"CVE-2026-26179 Windows Kernel Double Free Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2026-04-cve-2026-26179-privesc/"},{"_cs_actors":[],"_cs_cves":[{"id":"CVE-2026-31609"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["smb","double-free","cve-2026-31609","rce"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCVE-2026-31609 is a double-free vulnerability affecting the SMB (Server Message Block) client. The vulnerability resides in the \u003ccode\u003esmbd_free_send_io()\u003c/code\u003e function, which is called after \u003ccode\u003esmbd_send_batch_flush()\u003c/code\u003e. A double-free vulnerability occurs when memory is freed twice, potentially leading to corruption of the heap and potentially allowing an attacker to execute arbitrary code. The specifics of exploitation are not detailed in the initial advisory but successful exploitation could lead to a complete compromise of the affected system. This vulnerability demands immediate attention from security teams due to the potential for remote code execution and the widespread use of the SMB protocol in networked environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious SMB request designed to trigger the \u003ccode\u003esmbd_send_batch_flush()\u003c/code\u003e function within the SMB client.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esmbd_send_batch_flush()\u003c/code\u003e function executes, processing the crafted SMB request.\u003c/li\u003e\n\u003cli\u003eDue to a flaw in the logic, the same memory is passed twice to a \u003ccode\u003efree()\u003c/code\u003e call within \u003ccode\u003esmbd_free_send_io()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe first \u003ccode\u003efree()\u003c/code\u003e call deallocates the memory as intended.\u003c/li\u003e\n\u003cli\u003eThe second \u003ccode\u003efree()\u003c/code\u003e call attempts to deallocate the already freed memory, causing a double-free condition.\u003c/li\u003e\n\u003cli\u003eThis double-free corrupts the heap metadata, creating an opportunity for an attacker to manipulate memory allocation.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits the heap corruption to overwrite critical data structures within the SMB client process.\u003c/li\u003e\n\u003cli\u003eBy overwriting function pointers or other sensitive data, the attacker gains control of the execution flow, leading to arbitrary code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-31609 could allow an attacker to execute arbitrary code on the affected system with the privileges of the SMB client. Given the widespread use of SMB for file sharing and network communication, this vulnerability could be leveraged to gain unauthorized access to sensitive data, install malware, or disrupt critical services. The impact could range from data breaches and ransomware attacks to complete system compromise and lateral movement within a network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security update provided by Microsoft to patch CVE-2026-31609 as soon as possible.\u003c/li\u003e\n\u003cli\u003eEnable SMB auditing to monitor for suspicious SMB traffic and potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect potential exploitation attempts by monitoring for unusual SMB client process behavior.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T12:00:00Z","date_published":"2024-01-24T12:00:00Z","id":"/briefs/2024-01-24-smb-double-free/","summary":"CVE-2026-31609 is a critical double-free vulnerability in the SMB client, specifically within the smbd_free_send_io() function after smbd_send_batch_flush(), potentially leading to arbitrary code execution.","title":"CVE-2026-31609 SMB Client Double-Free Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-24-smb-double-free/"}],"language":"en","title":"CraftedSignal Threat Feed — Double-Free","version":"https://jsonfeed.org/version/1.1"}