The Linux kernel's octeon_ep driver fails to properly clean up allocated memory and mapped resources when the octep_ctrl_net_init() function fails during device setup, resulting in a local denial of service condition. An authenticated local attacker could trigger this memory leak by causing the initialization to fail, exhausting system memory over time. A patch is not currently available for this vulnerability.
A null pointer dereference in the Linux kernel's perf scheduler functionality causes a denial of service when handling user space stacktraces for certain kernel tasks. Local attackers with low privileges can trigger this crash by exploiting inconsistent task classification logic that fails to properly identify user versus kernel tasks. The vulnerability affects the Linux kernel with no patch currently available.
The Linux kernel's btrfs send functionality fails to validate whether file extent items are inline extents before accessing the disk_bytenr field, potentially causing invalid memory access or metadata corruption on affected systems. A local attacker with file system access could exploit this to trigger a denial of service condition through carefully crafted inline extent items. No patch is currently available for this medium-severity vulnerability.
The Linux kernel ath12k WiFi driver incorrectly frees DMA memory buffers using aligned addresses instead of the original unaligned pointers returned by dma_alloc_coherent(), potentially causing memory management errors and denial of service on systems using affected WiFi hardware. A local attacker with user privileges can trigger this vulnerability through normal WiFi driver operations, leading to system instability or crashes. No patch is currently available for this medium-severity vulnerability.
Uninitialized pointer dereferences in the Linux kernel's interconnect debugfs implementation can cause denial of service when users interact with src_node and dst_node debugfs entries. A local attacker with standard user privileges can trigger memory access violations through reads or writes to these debugfs interfaces, crashing the system or causing kernel instability. No patch is currently available for this medium-severity vulnerability.
The Linux kernel io_uring/io-wq subsystem fails to properly monitor exit signals during work execution loops, allowing a local attacker with user privileges to cause the work queue to hang indefinitely by queuing operations that take excessive time to complete. This denial of service condition prevents the io-wq worker threads from shutting down gracefully, potentially blocking system operations that depend on io_uring. No patch is currently available for this vulnerability.
A null pointer dereference in the CephFS kernel client's MDS authentication matching function (ceph_mds_auth_match()) allows local attackers with low privileges to cause a denial of service by crashing the kernel when the mds_namespace mount option is not specified. This regression affects Linux kernel versions 6.18-rc1 and later, impacting systems using CephFS with default mount configurations. No patch is currently available for this vulnerability.
A NULL pointer dereference in the Intel ice network driver's ice_vsi_set_napi_queues() function can cause a kernel crash on Linux systems during suspend/resume operations when ring queue vectors are improperly initialized. Local users with standard privileges can trigger this denial of service condition through standard power management operations like systemctl suspend. No patch is currently available for this vulnerability affecting Linux kernel v6.18 and the Intel E810 Ethernet adapter family.
GSO segmentation when forwarding GRO packets containing a frag_list. The function skb_segment_list cannot correctly process GRO skbs contains a security vulnerability.
The Linux kernel's Bluetooth MGMT subsystem fails to properly deallocate memory structures in the set_ssp_complete() function, resulting in a memory leak for each completed SSP command. A local attacker with unprivileged user access can exploit this to cause denial of service through memory exhaustion over time. No patch is currently available.
The Linux kernel's DPLL subsystem fails to prevent duplicate pin registrations, allowing callers to register the same pin multiple times and causing memory management issues during unregistration. A local attacker with unprivileged access could trigger this condition to cause a denial of service through kernel warnings or crashes. No patch is currently available for this vulnerability.
Linux kernel dirty page throttling can cause system hangs when cgroup memory limits are restrictive, as processes become stuck waiting on balance_dirty_pages() io_schedule_timeout() calls. A local user with write permissions can trigger a denial of service by exhausting dirty page limits through intensive file operations, potentially freezing the system. No patch is currently available for affected kernels prior to v6.18.
Scheduler Widget (WordPress plugin) versions up to 0.1.6. is affected by authorization bypass through user-controlled key (CVSS 5.4).
Authenticated attackers with contributor-level access to WordPress sites can bypass authorization checks in the Accordion and Accordion Slider plugin (versions up to 1.4.5) to read and modify attachment metadata across the entire site. The vulnerability exists in improper permission validation within the attachment data handling functions, allowing unauthorized access to file paths, titles, captions, alt text, and custom links. No patch is currently available.
Unauthenticated attackers can modify the CallbackKiller service widget plugin's site ID settings in WordPress versions up to 1.2 due to missing capability checks in the AJAX handler, allowing unauthorized data manipulation without authentication. The vulnerability requires no user interaction and can be exploited remotely, though no patch is currently available.
One to one user Chat by WPGuppy (WordPress plugin) is affected by missing authentication for critical function (CVSS 5.3).
The StickEasy Protected Contact Form plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 1.0.2. The plugin stores spam detection logs at a predictable publicly accessible location (wp-content/uploads/stickeasy-protected-contact-form/spcf-log.txt). This makes it possible for unauthenticated attackers to download the log file and access sensitive information including visitor IP addresses, email addresses, and comment snippets from contac...
The WP Last Modified Info plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.9.5. This is due to the plugin not validating a user's access to a post before modifying its metadata in the 'bulk_save' AJAX action. This makes it possible for authenticated attackers, with Author-level access and above, to update the last modified metadata and lock the modification date of arbitrary posts, including those created by Administrators via the ...
Easy Form Builder (WordPress plugin) versions up to 3.9.3. is affected by missing authorization (CVSS 5.3).
The MailChimp Campaigns WordPress plugin through version 3.2.4 lacks proper authorization checks on an AJAX function, allowing authenticated subscribers to disconnect the site's MailChimp integration. This capability bypass enables low-privileged users to disrupt automated email campaigns and marketing workflows. No patch is currently available.
Unauthenticated attackers can modify appointment statuses in the Bookr WordPress plugin (versions up to 1.0.2) due to a missing capability check on the REST API endpoint. This allows unauthorized data manipulation without authentication or user interaction. No patch is currently available for this vulnerability.
The MP3 Audio Player plugin for WordPress versions 5.3-5.10 contains a server-side request forgery vulnerability in the lyrics loading function that allows authenticated users with author privileges to initiate arbitrary web requests from the affected server. This capability enables attackers to interact with internal services and potentially access or modify sensitive data on systems reachable from the web application.
The BFG Tools - Extension Zipper plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.0.7. This is due to insufficient input validation on the user-supplied `first_file` parameter in the `zip()` function. [CVSS 4.9 MEDIUM]
SQL injection in Mail Mint plugin for WordPress (versions up to 1.19.2) allows authenticated administrators to execute arbitrary SQL queries through improperly sanitized parameters in multiple API endpoints. An attacker with admin-level access could exploit insufficient input escaping on 'order-by', 'order-type', and 'selectedCourses' parameters to extract sensitive data from the WordPress database. No patch is currently available for this vulnerability.
A race condition in the Linux kernel NFC subsystem allows local attackers with low privileges to cause a denial of service by triggering a use-after-free condition between rfkill device unregistration and NCI command queue destruction. An attacker can exploit this by closing a virtual NCI device file while rfkill operations are in progress, causing the kernel to access a destroyed work queue. No patch is currently available for this vulnerability.
The Linux kernel's ice driver contains a race condition in PTP (Precision Time Protocol) handling where periodic work can execute while the Virtual Station Interface (VSI) is being rebuilt, causing a NULL pointer dereference when accessing rx_rings. A local attacker with low privileges can trigger this vulnerability to cause a denial of service by crashing the kernel. No patch is currently available for this medium-severity vulnerability.
The Tegra210-QSPI driver in the Linux kernel is vulnerable to a race condition where an unprotected NULL pointer check in the interrupt handler can be exploited by a local attacker with low privileges to cause a denial of service through kernel panic. The vulnerability occurs when the timeout path clears the curr_xfer pointer while the ISR thread is simultaneously accessing it, resulting in a NULL dereference. A patch is available to resolve this issue by properly synchronizing access with spinlock protection.
A race condition in the Linux kernel's FireWire core transaction handling allows local attackers with low privileges to cause a denial of service by triggering concurrent processing of AR response and AT request completion events without proper synchronization. The vulnerability stems from transaction list enumeration occurring outside the card lock scope, enabling memory corruption or system crashes when exploited. No patch is currently available for this issue.
The Linux kernel netdevsim driver contains a race condition in the bpf_bound_progs list operations where concurrent calls to nsim_bpf_create_prog() and nsim_bpf_destroy_prog() can corrupt the list and trigger kernel crashes. A local attacker with limited privileges can exploit this vulnerability to cause a denial of service by manipulating eBPF program creation and destruction. No patch is currently available for this issue.
A race condition in the Linux kernel's serial driver allows local attackers with low privileges to bypass TTY device linkage during console configuration, potentially enabling unauthorized access to serial console interfaces on Qualcomm SoCs and other affected systems. The vulnerability stems from improper initialization ordering that fails to configure tty->port before uart_configure_port() is called, creating a window where user-space applications can open the console without proper driver linkage. No patch is currently available.
A race condition in the Linux kernel's rxrpc subsystem allows local attackers with limited privileges to cause a denial of service by exploiting unsynchronized access to the last_tx_at timestamp variable, potentially triggering load/store tearing on 32-bit architectures. The vulnerability requires local access and specific timing conditions to trigger, but can result in system instability or crash when successfully exploited. No patch is currently available.
AMP Enhancer plugin for WordPress versions up to 1.0.49 allows authenticated administrators to inject stored XSS payloads through the Custom CSS setting due to insufficient input sanitization, affecting multi-site installations and those with unfiltered_html disabled. An attacker with admin-level access can execute arbitrary JavaScript in the context of user browsers visiting affected pages. A security patch is not yet available.
Stored XSS in the WordPress User Language Switch plugin through the 'tab_color_picker_language_switch' parameter allows authenticated administrators to inject malicious scripts on multi-site installations or when unfiltered_html is disabled. The injected scripts execute in the context of other users accessing affected pages. This vulnerability affects all versions up to 1.6.10, with no patch currently available.
Allow HTML in Category Descriptions (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 4.4).
The Link Hopper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘hop_name’ parameter in all versions up to, and including, 2.5 due to insufficient input sanitization and output escaping. [CVSS 4.4 MEDIUM]
The Modula Image Gallery plugin for WordPress through version 2.13.6 fails to properly validate REST API permissions, allowing authenticated contributors and higher-privileged users to modify arbitrary post content by manipulating post IDs in API requests. Attackers can update titles, excerpts, and body content of posts they do not own, potentially leading to unauthorized content modification or injection attacks. No patch is currently available for this vulnerability.
WordPress Smart Forms plugin through version 2.6.99 fails to validate user permissions on the 'rednao_smart_forms_get_campaigns' AJAX action, allowing authenticated subscribers and higher-privileged users to retrieve sensitive donation campaign data. An attacker with basic WordPress account access can enumerate campaign IDs and names without proper authorization. A patch is not currently available for this vulnerability.
The LatePoint - Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.2.5. [CVSS 4.3 MEDIUM]
The MDirector Newsletter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.8. This is due to missing nonce verification on the mdirectorNewsletterSave function. [CVSS 4.3 MEDIUM]
The WP Quick Contact Us plugin for WordPress through version 1.0 lacks proper nonce validation in its settings update function, enabling unauthenticated attackers to modify plugin configuration through cross-site request forgery if a site administrator can be tricked into clicking a malicious link. This could allow attackers to alter plugin behavior and potentially compromise site functionality without direct authentication.
Unauthorized event deletion in the WordPress SEATT plugin through version 1.5.0 stems from inadequate CSRF protections on the event removal function. An attacker can trick site administrators into clicking a malicious link to remove arbitrary events without authentication. No patch is currently available for this vulnerability.
Authenticated users with Author-level privileges in WordPress Media Library Folders plugin (versions up to 8.3.6) can delete or rename arbitrary attachments belonging to other users through insufficient validation in the delete_maxgalleria_media() and maxgalleria_rename_image() functions. The rename operation also destroys all postmeta associated with target attachments, resulting in permanent data loss. No patch is currently available.
In the Linux kernel, the following vulnerability has been resolved: dpaa2-switch: prevent ZERO_SIZE_PTR dereference when num_ifs is zero The driver allocates arrays for ports, FDBs, and filter blocks using kcalloc() with ethsw->sw_attr.num_ifs as the element count.
In the Linux kernel, the following vulnerability has been resolved: spi: tegra210-quad: Protect curr_xfer in tegra_qspi_combined_seq_xfer The curr_xfer field is read by the IRQ handler without holding the lock to check if a transfer is in progress.
In the Linux kernel, the following vulnerability has been resolved: spi: tegra: Fix a memory leak in tegra_slink_probe() In tegra_slink_probe(), when platform_get_irq() fails, it directly returns from the function with an error code, which causes a memory leak.
In the Linux kernel, the following vulnerability has been resolved: platform/x86: toshiba_haps: Fix memory leaks in add/remove routines toshiba_haps_add() leaks the haps object allocated by it if it returns an error after allocating that object successfully.
In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: ocb: skip rx_no_sta when interface is not joined ieee80211_ocb_rx_no_sta() assumes a valid channel context, which is only present after JOIN_OCB.
In the Linux kernel, the following vulnerability has been resolved: wifi: wlcore: ensure skb headroom before skb_push This avoids occasional skb_under_panic Oops from wl1271_tx_work. In this case, headroom is less than needed (typically 110 - 94 = 16 bytes).
In the Linux kernel, the following vulnerability has been resolved: smb/server: call ksmbd_session_rpc_close() on error path in create_smb2_pipe() When ksmbd_iov_pin_rsp() fails, we should call ksmbd_session_rpc_close().
In the Linux kernel, the following vulnerability has been resolved: cgroup/dmem: fix NULL pointer dereference when setting max An issue was triggered: BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 15 UID: 0 PID: 658 Comm: bash Tainted: 6.19.0-rc6-next-2026012 Tainted: [O]=OOT_MODULE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), RIP: 0010:strcmp+0x10/0x30 RSP: 0018:ffffc900017f7dc0 EFLAGS: 00000246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff888107cd4358 RDX: 0000000019f73907 RSI: ffffffff82cc381a RDI: 0000000000000000 RBP: ffff8881016bef0d R08: 000000006c0e7145 R09: 0000000056c0e714 R10: 0000000000000001 R11: ffff888107cd4358 R12: 0007ffffffffffff R13: ffff888101399200 R14: ffff888100fcb360 R15: 0007ffffffffffff CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 0000000105c79000 CR4: 00000000000006f0 Call Trace: <TASK> dmemcg_limit_write.constprop.0+0x16d/0x390 ? __pfx_set_resource_max+0x10/0x10 kernfs_fop_write_iter+0x14e/0x200 vfs_write+0x367/0x510 ksys_write+0x66/0xe0 do_syscall_64+0x6b/0x390 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f42697e1887 It was trriggered setting max without limitation, the command is like: "echo test/region0 > dmem.max".