Skip to main content
CVE-2025-71071 HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: iommu/mediatek: fix use-after-free on probe deferral The driver is dropping the references taken to the larb devices during probe after successful lookup as well as on errors.

Linux Use After Free Mediatek Memory Corruption Information Disclosure +3
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-71068 HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: svcrdma: bound check rq_pages index in inline path svc_rdma_copy_inline_range indexed rqstp->rq_pages[rc_curpage] without verifying rc_curpage stays within the allocated page array.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-20924 HIGH PATCH This Week

Privilege escalation in Windows Management Services via use-after-free memory corruption affects Windows 10, Windows 11, and Windows Server 2019, enabling authenticated local attackers to gain elevated system privileges. An authorized user can exploit this vulnerability through a race condition to execute arbitrary code with higher privileges. No patch is currently available for this vulnerability.

Windows Use After Free Windows 11 25h2 Windows Server 2019 Windows 10 22h2 +8
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-20918 HIGH PATCH This Week

Windows Management Services on Windows 10 and 11 contains a race condition in shared resource synchronization that enables authenticated local users to escalate privileges to system level. The vulnerability affects multiple Windows versions including 22h2, 21h2, and 25h2 builds, with no patch currently available.

Windows Race Condition Windows 11 25h2 Windows 10 22h2 Windows 10 21h2 +8
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-20874 HIGH PATCH This Week

Privilege escalation in Windows Management Services on Windows 10 and 11 stems from improper synchronization of shared resources, enabling local authenticated attackers to gain elevated privileges. The race condition can be exploited without user interaction and impacts confidentiality, integrity, and availability across system boundaries. No patch is currently available for this vulnerability.

Windows Race Condition Windows 11 23h2 Windows 11 24h2 Windows 10 1809 +8
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-20873 HIGH PATCH This Week

Privilege escalation in Windows Management Services (Windows 10/11) stems from improper synchronization of shared resources, allowing authenticated local users to gain elevated privileges through race condition exploitation. The vulnerability affects multiple Windows versions including 22H2 and 24H2 builds, with no patch currently available. An attacker with valid credentials can leverage this flaw to escalate from a standard user account to system-level access.

Windows Race Condition Windows 10 22h2 Windows 11 24h2 Windows 10 1809 +8
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-20867 HIGH PATCH This Week

Local privilege escalation in Windows Management Services affects Windows Server 2019, Windows 11 24h2, and Windows Server 2025 through improper synchronization of shared resources, enabling authenticated users to gain elevated system privileges. The vulnerability exploits a race condition that an attacker can trigger without user interaction, though no patch is currently available.

Windows Race Condition Windows Server 2019 Windows 11 24h2 Windows Server 2025 +8
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-20866 HIGH PATCH This Week

Windows Management Services on Windows 10 and Windows Server 2019 contains a race condition in shared resource synchronization that enables local privilege escalation for authenticated users. An attacker with local access can exploit improper locking mechanisms to gain elevated system privileges. No patch is currently available for this vulnerability.

Windows Race Condition Windows Server 2019 Windows 10 22h2 Windows 10 1809 +8
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-20861 HIGH PATCH This Week

Windows Management Services on Windows 10 and Windows Server 2022 contain a race condition in shared resource handling that permits authenticated local attackers to escalate privileges to system level. The vulnerability stems from improper synchronization during concurrent operations and affects multiple Windows versions including Windows 10 22H2 and 1809. No patch is currently available for this high-severity issue (CVSS 7.8).

Windows Race Condition Windows Server 2022 Windows 10 22h2 Windows 10 1809 +8
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-20831 HIGH PATCH This Week

Windows Ancillary Function Driver for WinSock contains a race condition that enables local privilege escalation on affected Windows systems including Server 2008, Server 2019, and Windows 10 22H2. An authenticated attacker can exploit this timing vulnerability to gain elevated privileges with high impact to confidentiality, integrity, and availability. No patch is currently available for this vulnerability.

Windows Race Condition Windows Server 2008 Windows Server 2019 Windows 10 22h2 +12
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-20826 HIGH PATCH This Week

Privilege escalation in Windows Tablet UI (TWINUI) subsystem on Windows 10, Windows Server 2022, and Windows Server 2025 stems from improper synchronization of shared resources, enabling authenticated local attackers to gain elevated privileges. The race condition vulnerability affects multiple Windows versions and currently has no available patch.

Windows Race Condition Windows Server 2022 23h2 Windows Server 2025 Windows 10 21h2 +10
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-20816 HIGH PATCH This Week

Windows Installer contains a time-of-check time-of-use race condition that allows authenticated local attackers to escalate privileges on Windows 10 1809, Windows 11 25h2, and Windows Server 2022 23h2. An attacker with local access can exploit the window between permission validation and file operation execution to gain elevated system access. No patch is currently available for this vulnerability.

Windows Race Condition Windows 11 25h2 Windows 10 1809 Windows Server 2022 23h2 +12
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-71100 HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: wifi: rtlwifi: 8192cu: fix tid out of range in rtl92cu_tx_fill_desc() TID getting from ieee80211_get_tid() might be out of range of array size of sta_entry->tids[], so check TID is less than MAX_TID_COUNT.

Linux Buffer Overflow Linux Kernel Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-71099 HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: drm/xe/oa: Fix potential UAF in xe_oa_add_config_ioctl() In xe_oa_add_config_ioctl(), we accessed oa_config->id after dropping metrics_lock.

Linux Use After Free Information Disclosure Memory Corruption Linux Kernel +2
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-71073 HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: Input: lkkbd - disable pending work before freeing device lkkbd_interrupt() schedules lk->tq via schedule_work(), and the work handler lkkbd_reinit() dereferences the lkkbd structure and its serio/input_dev fields.

Linux Use After Free Information Disclosure Memory Corruption Linux Kernel +2
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-20922 HIGH PATCH This Week

Heap-based buffer overflow in Windows NTFS allows an authorized attacker to execute code locally. [CVSS 7.8 HIGH]

Windows Buffer Overflow Heap Overflow Windows 10 1607 Windows 11 25h2 +13
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-20857 HIGH PATCH This Week

Windows Cloud Files Mini Filter Driver contains an unsafe pointer dereference vulnerability that enables authenticated local users to achieve privilege escalation on affected Windows versions including Windows 10 1809, Windows 11, and Windows Server 2022. An attacker with valid credentials can exploit this flaw to gain elevated system privileges without user interaction. No patch is currently available for this high-severity vulnerability.

Windows Windows 10 1809 Windows Server 2022 Windows 11 23h2 Windows 11 24h2 +7
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-20840 HIGH PATCH This Week

Heap-based buffer overflow in Windows NTFS allows an authorized attacker to execute code locally. [CVSS 7.8 HIGH]

Windows Buffer Overflow Heap Overflow Windows 10 21h2 Windows Server 2019 +13
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-20832 HIGH PATCH This Week

Privileged local attackers can exploit a use-after-free vulnerability in the Windows RPC IDL subsystem to gain system-level code execution on affected Windows 10, Windows 11, Windows Server 2016, and Windows Server 2022 systems. The vulnerability requires local access and valid credentials but allows complete compromise of the target system with no user interaction required. No patch is currently available, leaving vulnerable systems at risk.

Windows Windows 11 23h2 Windows Server 2022 23h2 Windows 10 22h2 Windows Server 2016 +9
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-20820 HIGH PATCH This Week

Heap buffer overflow in Windows Common Log File System Driver (affecting Windows 10 1607, Server 2016, and Server 2022 23h2) enables authenticated local users to achieve complete system compromise through privilege escalation. The vulnerability requires valid credentials but no user interaction, making it a direct path to administrative control for insiders or attackers with initial access. No patch is currently available, leaving affected systems at elevated risk pending remediation.

Windows Buffer Overflow Heap Overflow Windows Server 2016 Windows Server 2022 23h2 +13
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-10865 HIGH This Week

Software installed and run as a non-privileged user may conduct improper GPU system calls to cause mismanagement of reference counting to cause a potential use after free. Improper reference counting on an internal resource caused scenario where potential for use after free was present. [CVSS 7.8 HIGH]

Use After Free Ddk
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-71089 HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: iommu: disable SVA when CONFIG_X86 is set Patch series "Fix stale IOTLB entries for kernel address space", v7. This proposes a fix for a security vulnerability related to IOMMU Shared Virtual Addressing (SVA). [CVSS 7.8 HIGH]

Linux Privilege Escalation Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-68817 HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in ksmbd_tree_connect_put under concurrency Under high concurrency, A tree-connection object (tcon) is freed on a disconnect path while another path still holds a reference and later executes *_put()/write on it. [CVSS 7.8 HIGH]

Linux Use After Free Linux Kernel Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-37186 HIGH This Week

A local privilege-escalation vulnerability has been discovered in the HPE Aruba Networking Virtual Intranet Access (VIA) client. Successful exploitation of this vulnerability could allow a local attacker to achieve arbitrary code execution with root privileges. [CVSS 7.8 HIGH]

Privilege Escalation RCE
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-21226 HIGH PATCH This Week

Remote code execution in Azure Core Shared Client Library for Python results from insecure deserialization of untrusted data, allowing authenticated network-based attackers to achieve arbitrary code execution. The vulnerability affects Python applications utilizing the vulnerable library versions, with no patch currently available. This represents a high-severity risk for Azure SDK consumers handling external or user-supplied serialized data.

Python Azure Deserialization Azure Core Shared Client Library Suse
NVD
CVSS 3.1
7.5
EPSS
1.5%
CVE-2026-20852 HIGH PATCH This Week

Windows Hello privilege escalation on Windows 10, 11, and Server 2019 allows local attackers without credentials to tamper with system integrity through incorrect privilege assignment. The vulnerability requires local access but no user interaction, enabling unauthorized modifications to protected resources. No patch is currently available for this HIGH severity issue affecting multiple Windows versions.

Windows Windows 11 24h2 Windows 11 25h2 Windows Server 2019 Windows 10 21h2 +9
NVD
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-20804 HIGH PATCH This Week

Windows Hello privilege elevation flaw in Windows 10 21h2, Windows Server 2019, 2022, and 2022 23h2 enables local attackers to modify system data without authorization. The vulnerability stems from improper privilege assignment that bypasses access controls, allowing an unauthenticated attacker with local access to tamper with protected resources. Currently no patch is available and exploitation requires only local access with no special conditions or user interaction.

Windows Windows Server 2022 23h2 Windows Server 2022 Windows 10 21h2 Windows Server 2019 +9
NVD
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-0386 HIGH PATCH This Week

Windows Deployment Services contains improper access control that enables unauthenticated attackers on an adjacent network to execute arbitrary code with high privileges on affected Windows and Windows Server systems. The vulnerability affects multiple Windows versions including Server 2012, 2019, and 2022 variants, with no patch currently available. An adjacent network attacker requires only network proximity to exploit this vulnerability, making lateral movement within networked environments a significant risk.

Windows Windows Server 2019 Windows Server 2022 23h2 Windows Server 2012 Windows Server 2022 +4
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-20875 HIGH PATCH This Week

Remote denial of service in Windows LSASS affects Windows 10 and 11 through a null pointer dereference that an unauthenticated attacker can trigger over the network. The vulnerability causes service unavailability but does not enable code execution or data theft. No patch is currently available, leaving affected systems vulnerable until Microsoft releases a fix.

Windows Null Pointer Dereference Windows 11 24h2 Windows 10 21h2 Windows 10 1809 +12
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-20849 HIGH PATCH This Week

Windows Kerberos authentication in multiple Windows versions accepts untrusted input during security decisions, enabling authenticated network attackers to escalate privileges without user interaction. The vulnerability affects Windows 10 (versions 1607 and 1809), Windows Server 2012, and Windows Server 2025, with no patch currently available. An attacker with valid credentials can exploit this to gain elevated system access across the network.

Windows Windows Server 2025 Windows 10 1607 Windows Server 2012 Windows 10 1809 +11
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-20854 HIGH PATCH This Week

Remote code execution in Windows LSASS (Local Security Authority Subsystem Service) on Windows 11 and Windows Server 2025 stems from a use-after-free memory vulnerability exploitable by authenticated attackers over the network. An attacker with valid credentials can trigger the flaw to execute arbitrary code with SYSTEM privileges, achieving complete system compromise. No patch is currently available, leaving affected systems vulnerable until Microsoft releases a security update.

Windows Use After Free Windows Server 2025 Windows 11 25h2 Windows 11 24h2 +1
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-20934 HIGH PATCH This Week

Privilege escalation in Windows SMB Server (Server 2025, Windows 11 24H2, Windows 10 22H2) stems from improper synchronization of shared resources during concurrent execution, enabling authenticated network attackers to gain elevated privileges. The vulnerability requires high complexity exploitation but carries high impact across confidentiality, integrity, and availability. No patch is currently available.

Windows Race Condition Windows Server 2025 Windows 11 24h2 Windows 10 22h2 +11
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-20926 HIGH PATCH This Week

Privilege escalation in Windows SMB Server (versions 10 22h2, 11 23h2, and 11 25h2) stems from improper synchronization of shared resources, allowing authenticated network attackers to elevate privileges. The race condition vulnerability requires specific timing conditions but carries high impact across confidentiality, integrity, and availability. No patch is currently available for this vulnerability.

Windows Race Condition Windows 11 23h2 Windows 11 25h2 Windows 10 22h2 +11
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-20921 HIGH PATCH This Week

Privilege escalation in Windows SMB Server (2022, 2025) stems from improper synchronization of concurrent resource access, enabling authenticated network attackers to gain elevated privileges. The vulnerability requires specific conditions to trigger but provides high-impact unauthorized access when successfully exploited. No patch is currently available for affected systems.

Race Condition Microsoft Information Disclosure
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-20919 HIGH PATCH This Week

Windows SMB Server contains a race condition in concurrent resource handling that enables authenticated network attackers to escalate privileges on affected systems including Windows 10 22H2, Windows 10 1607, and Windows Server 2025. The vulnerability requires low attack complexity and network access from an authenticated user, but carries high impact across confidentiality, integrity, and availability. No patch is currently available for this HIGH severity issue (CVSS 7.5).

Windows Race Condition Windows 10 22h2 Windows Server 2025 Windows 10 1607 +11
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-20848 HIGH PATCH This Week

Privilege escalation via race condition in Windows SMB Server affects Windows 10 21h2, Windows 11 25h2, and Windows Server 2022 23h2, allowing authenticated attackers to gain elevated privileges over the network. The vulnerability stems from improper synchronization when handling concurrent access to shared resources, and no patch is currently available. With a CVSS score of 7.5, this poses a significant risk to organizations using affected Windows versions.

Windows Race Condition Windows 10 21h2 Windows 11 25h2 Windows Server 2022 23h2 +11
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-68704 HIGH PATCH This Week

Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, Jervis uses java.util.Random() which is not cryptographically secure for timing attack mitigation. [CVSS 7.5 HIGH]

Java Jenkins Jervis
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-37165 HIGH This Week

router mode configuration of HPE Instant On Access Points exposed certain network configuration details to unintended interfaces. A malicious actor is affected by information exposure (CVSS 7.5).

HP Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-20929 HIGH PATCH This Week

Windows HTTP.sys contains an access control weakness that enables authenticated network attackers to escalate privileges on affected Windows systems including Windows 10 and Windows Server 2016/2019. The vulnerability requires low attack complexity and existing user credentials but grants complete compromise of confidentiality, integrity, and availability. No patch is currently available for this HIGH severity issue.

Windows Windows 10 22h2 Windows Server 2019 Windows Server 2016 Windows 10 1809 +8
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-22868 HIGH PATCH This Week

Go Ethereum (geth) nodes can be remotely crashed through maliciously crafted network messages, causing denial of service to affected network participants. An unauthenticated attacker on the network can exploit this vulnerability without user interaction to force vulnerable nodes offline. A patch is available in version 1.16.8 and later.

Golang Denial Of Service Go Ethereum Suse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-22862 HIGH PATCH This Week

Go Ethereum nodes can be remotely crashed by unauthenticated attackers sending specially crafted network messages, resulting in denial of service. This network-based attack requires no user interaction and affects Golang and Go Ethereum implementations prior to version 1.16.8. A patch is available to remediate this high-severity vulnerability.

Golang Denial Of Service Go Ethereum Suse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-68931 HIGH PATCH This Week

Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, AES/CBC/PKCS5Padding lacks authentication, making it vulnerable to padding oracle attacks and ciphertext manipulation. [CVSS 7.5 HIGH]

Jenkins Jervis
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-37166 HIGH This Week

A vulnerability affecting HPE Networking Instant On Access Points has been identified where a device processing a specially crafted packet could enter a non-responsive state, in some cases requiring a hard reset to re-establish services. [CVSS 7.5 HIGH]

Denial Of Service
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-20965 HIGH PATCH This Week

Windows Admin Center fails to properly validate cryptographic signatures, enabling high-privileged users to bypass security controls and gain elevated system access on local machines. This vulnerability affects both Windows and Windows Admin Center installations and requires an authenticated attacker with administrative credentials to exploit. No patch is currently available for this issue.

Windows Windows Admin Center
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-68701 HIGH PATCH This Week

Jervis versions up to 2.2 is affected by use of a broken or risky cryptographic algorithm (CVSS 7.5).

Jenkins Jervis
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-68702 HIGH PATCH This Week

Jervis versions up to 2.2 is affected by use of a broken or risky cryptographic algorithm (CVSS 7.5).

Jenkins Jervis
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-46685 HIGH This Week

Dell SupportAssist OS Recovery, versions prior to 5.5.15.1, contain a Creation of Temporary File With Insecure Permissions vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges. [CVSS 7.5 HIGH]

Information Disclosure Dell Supportassist Os Recovery
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-68703 HIGH PATCH This Week

Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, the salt is derived from sha256Sum(passphrase). [CVSS 7.5 HIGH]

Jenkins Jervis
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-68698 HIGH PATCH This Week

Jervis versions up to 2.2 is affected by use of a broken or risky cryptographic algorithm (CVSS 7.5).

Jenkins Jervis
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-20853 HIGH PATCH This Week

Windows WalletService contains a race condition that permits local privilege escalation on Windows 10 and Windows 11 systems. An unauthenticated attacker with local access can exploit improper synchronization of shared resources to gain elevated privileges. No patch is currently available for this vulnerability.

Windows Race Condition Windows 11 23h2 Windows 11 25h2 Windows 10 22h2 +5
NVD
CVSS 3.1
7.4
EPSS
0.0%
Prev Page 4 of 5 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy