Use-After-Free.

A use-after-free (UAF) happens when a pointer keeps referencing an object after free()/delete has released it. If the attacker can cause the same memory region to be reallocated as a different object — a technique called heap grooming or "heap feng shui" — the dangling pointer effectively gives them a type confusion, perfect for overwriting virtual-function pointers, callback addresses, or sensitive state. UAFs dominate browser and kernel exploitation and are catalogued as CWE-416.

Named cases illustrate the impact. CVE-2018-8174, a UAF in the VBScript engine reachable through Internet Explorer, was weaponised in the "Double Kill" zero-day and folded into exploit kits. CVE-2022-0609, a UAF in Chrome's Animation component, was exploited in the wild as a zero-day; Google's Threat Analysis Group attributed the campaigns to North Korean state actors targeting media and fintech firms. The prevalence of such bugs is why Microsoft and Google both report that around 70% of their historical CVEs stem from memory-safety errors, driving the industry push toward Rust.

flowchart TD
  A[Object allocated, pointer P references it] --> B["free() / delete called"]
  B --> C[P now dangles, memory returned to allocator]
  C --> D[Attacker sprays heap to reclaim the slot]
  D --> E[Same memory reallocated as attacker-controlled object]
  E --> F[Program dereferences P]
  F --> G[Type confusion -> hijack vtable / control flow]

Defences include disciplined ownership models (RAII, smart pointers), garbage-collected or memory-safe languages such as Rust, hardened allocators (quarantine, isolation pools, GWP-ASan), and KASAN/Valgrind testing. Browsers also deploy MiraclePtr and PartitionAlloc-style guards.