From 8f0614ab5429c2ceaeb4b121de049bec49a26850 Mon Sep 17 00:00:00 2001
From: J-P Nurmi <jpnurmi@gmail.com>
Date: Mon, 23 Feb 2026 16:18:12 +0100
Subject: [PATCH 1/2] fix(value): use-after-free in object merge

Incref before set_by_key to match the pattern in sentry__value_clone.
On OOM, set_by_key decrefs the value, which may free a value still
referenced by the source object.

Fixes: #1538

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 src/sentry_value.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/sentry_value.c b/src/sentry_value.c
index 978251e3b..9d6e9e654 100644
--- a/src/sentry_value.c
+++ b/src/sentry_value.c
@@ -1112,10 +1112,10 @@ sentry__value_merge_objects(sentry_value_t dst, sentry_value_t src)
                 return 1;
             }
         } else if (sentry_value_is_null(dst_val)) {
+            sentry_value_incref(src_val);
             if (sentry_value_set_by_key(dst, key, src_val) != 0) {
                 return 1;
             }
-            sentry_value_incref(src_val);
         }
     }
     return 0;

From 857e3d8d98f2edb37c9ee596008abd7f0d6875dc Mon Sep 17 00:00:00 2001
From: J-P Nurmi <jpnurmi@gmail.com>
Date: Mon, 23 Feb 2026 16:23:00 +0100
Subject: [PATCH 2/2] Update changelog

---
 CHANGELOG.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 88f1fd349..b7749110c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,11 @@
 # Changelog
 
+## Unreleased
+
+**Fixes**:
+
+- Fix use-after-free on allocation failure when merging scope tags, extra, and contexts into a captured event. ([#1539](https://github.com/getsentry/sentry-native/pull/1539))
+
 ## 0.13.0
 
 **Breaking**: