A memory leak vulnerability exists in the Linux kernel's ice driver in the ice_set_ringparam() function, where dynamically allocated tx_rings and xdp_rings are not properly freed when subsequent rx_rings allocation or setup fails. This affects all Linux kernel versions with the vulnerable ice driver code path, and while memory leaks typically enable denial of service through resource exhaustion rather than direct code execution, the impact depends on exploitation frequency and system memory constraints. No active exploitation or proof-of-concept has been publicly disclosed; the vulnerability was discovered through static analysis and code review rather than in-the-wild detection.
A buffer management vulnerability exists in the Linux kernel's Google Virtual Ethernet (GVE) driver within the gve_tx_clean_pending_packets() function when operating in DQ-QPL (Descriptor Queue with Queue Pair Lists) mode. The function incorrectly interprets buffer IDs as DMA addresses and attempts to unmap memory using the wrong cleanup path, causing out-of-bounds array access and potential memory corruption. This affects Linux kernel versions across multiple stable branches and can be triggered during network device reset operations, potentially leading to kernel crashes or memory safety violations.
A reference counting vulnerability in the Linux kernel's tracing subsystem causes a WARN_ON to trigger when a process forks and both parent and child processes exit, particularly when the application calls madvise(MADV_DOFORK) to enable VMA copy-on-fork behavior. The vulnerability affects all Linux kernel versions with the vulnerable tracing_buffers_mmap code and allows local attackers to cause a kernel warning that may lead to denial of service or information disclosure through the kernel warning itself. While not currently listed in KEV or known to be actively exploited, the vulnerability has been patched in stable kernel branches as indicated by four separate commit references.
A memory buffer management vulnerability exists in the Linux kernel's ice network driver XDP (eXpress Data Path) implementation, specifically in how it calculates fragment buffer sizes for receive queues. The vulnerability affects Linux kernel versions with the vulnerable ice driver code path and can be triggered through XDP operations that attempt to grow multi-buffer packet tails, potentially causing kernel panics or denial of service. An attacker with the ability to load and execute XDP programs can exploit this by crafting specific packet sizes and offset values to trigger the panic condition, as demonstrated by the XSK_UMEM__MAX_FRAME_SIZE test case, though real-world exploitation requires local access to load XDP programs.
A vulnerability in the Linux kernel's Transparent Huge Pages (THP) subsystem incorrectly enables THP for files on anonymous inodes (such as guest_memfd and secretmem), which were not designed to support large folios. This can trigger kernel crashes via memory copy operations on unmapped memory in secretmem, or WARN_ON conditions in guest_memfd fault handlers. The vulnerability affects Linux kernel versions across multiple stable branches and requires a kernel patch to remediate; while not known to be actively exploited in the wild, the condition can be triggered locally by unprivileged users through madvise() syscalls.
This vulnerability is a preemption context violation in the Linux kernel's block I/O tracing subsystem where tracing_record_cmdline() unsafely uses __this_cpu_read() and __this_cpu_write() operations from preemptible context. The Linux kernel in versions supporting blktrace (affected via CPE cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*) is vulnerable, allowing potential information disclosure or denial of service when block tracing is enabled and block I/O operations occur from user-space processes. This is not actively exploited in the wild (no KEV status), but the vulnerability has functional proof of concept through blktests/blktrace/002, making it a moderate priority for kernel maintainers and distributions shipping PREEMPT(full) configurations.
The Linux kernel's Realtek WiFi driver (rsi) incorrectly defaults to returning -EOPNOTSUPP error code in the rsi_mac80211_config function, which triggers a WARN_ON condition in ieee80211_hw_conf_init and deviates from expected driver behavior. This affects Linux kernel versions across multiple stable branches where the rsi WiFi driver is compiled and loaded. While not actively exploited in the wild, the issue causes kernel warnings and improper driver initialization that could degrade WiFi functionality or stability on affected systems.
A Linux kernel scheduler vulnerability in SCHED_DEADLINE task handling causes bandwidth accounting corruption when a deadline task holding a priority-inheritance mutex is changed to a lower priority class via sched_setscheduler(). The vulnerability affects Linux kernel implementations (all versions with SCHED_DEADLINE support) and can be triggered by local unprivileged users running specific workloads like stress-ng, potentially leading to kernel warnings, task accounting underflow, and denial of service. No active exploitation in the wild is currently documented, but the vulnerability is fixed in stable kernel branches as evidenced by the provided commit references.
A race condition in the Linux kernel's i801 I2C driver causes a kernel NULL pointer dereference and panic during boot when multiple udev threads concurrently access the ACPI I/O handler region. The vulnerability affects Linux kernel versions running the i2c_i801 driver on systems with Intel i801 chipsets. An attacker with local access or the ability to trigger concurrent device enumeration during boot can crash the system, resulting in denial of service.
This vulnerability is a resource leak in the Linux kernel's NVMe driver where the admin queue is not properly released during controller reset operations. Systems running affected Linux kernel versions are vulnerable to denial of service through memory exhaustion when NVMe controllers reset repeatedly. While no active exploitation in the wild has been reported and CVSS/EPSS scores are not yet published, the issue affects all Linux distributions and is resolved through kernel patching with fixes available across multiple stable branches.
This vulnerability is a race condition in the Linux kernel's libata subsystem where pending work is not properly canceled after clearing a deferred queue command (deferred_qc), leading to a WARN_ON() condition when the stale work eventually executes. The vulnerability affects all Linux kernel versions with the vulnerable libata code path, impacting systems using ATA/SATA disk controllers. An attacker with local access could trigger this condition through specific command sequences involving NCQ and non-NCQ commands, causing kernel warnings and potential system instability, though direct privilege escalation is not demonstrated.
A null pointer dereference vulnerability exists in the Linux kernel's ice network driver that crashes the system during ethtool offline loopback tests. The vulnerability affects Linux kernel versions running the ice driver (Intel Ethernet Controller driver), and an attacker with local access and CAP_NET_ADMIN privileges can trigger a kernel panic (denial of service) by executing ethtool loopback self-tests. No active exploitation or public POC has been reported; patches are available in stable kernel releases.
A use-after-free vulnerability exists in the Linux kernel's CAN USB f81604 driver where URBs submitted in the read bulk callback are not properly anchored before submission, potentially allowing them to be leaked if usb_kill_anchored_urbs() is invoked. This affects all Linux kernel versions with the vulnerable f81604 driver code. An attacker with local access or control over a malicious USB CAN adapter could potentially trigger memory corruption or information disclosure by causing URB leaks during driver cleanup or device disconnection.
A null pointer dereference vulnerability exists in the Linux kernel's AMD XDNA accelerator driver (accel/amdxdna) that can cause a kernel crash when userspace attempts to destroy a hardware context that has been automatically suspended. The vulnerability affects all Linux kernel versions with the vulnerable amdxdna driver code path; an unprivileged local user with access to the driver's ioctl interface can trigger a denial of service by issuing a destroy context command on a suspended context, causing the kernel to crash when accessing a NULL mailbox channel pointer. No CVSS score, EPSS data, or KEV status is currently available, but the vulnerability is classified as a denial of service with straightforward triggering conditions.
A memory leak vulnerability exists in the Linux kernel's pinctrl subsystem within the pinconf_generic_parse_dt_config() function. When the parse_dt_cfg() function fails, the code returns directly without executing cleanup logic, causing the cfg buffer to be leaked. This affects all Linux kernel versions containing the vulnerable pinctrl-generic code, and while the vulnerability itself does not enable direct code execution, it can lead to denial of service through memory exhaustion over time as the kernel gradually loses available memory.
A buffer handling vulnerability exists in the Linux kernel's CAN USB f81604 driver where improperly sized interrupt URB (USB Request Block) messages are not validated before processing, potentially leading to information disclosure or memory corruption. All Linux kernel versions with the affected CAN f81604 USB driver are impacted. An attacker with physical access to a malicious USB device or local system access could trigger abnormal URB message handling to leak kernel memory or cause denial of service. This vulnerability is not currently listed as actively exploited in known vulnerability databases, and no public proof-of-concept has been widely circulated, though patches are available across multiple kernel stable branches.
A NULL pointer dereference vulnerability exists in the Linux kernel's AMD XDena accelerator driver (accel/amdxdna) where the mgmt_chann variable may be set to NULL if firmware returns an unexpected error during management message transmission, subsequently causing a kernel crash when aie2_hw_stop() attempts to access it. This affects Linux kernel versions across the amdxdna subsystem and can be exploited by local attackers with physical access or through malicious firmware to trigger a denial of service condition. Two stable kernel patches are available that introduce proper NULL checks and a dedicated helper function to safely destroy mgmt_chann.
A memory alignment fault vulnerability exists in the Linux kernel's IPv4 multipath routing hash seed implementation that causes kernel panics on ARM64 systems when compiled with Clang and Link Time Optimization (LTO) enabled. The vulnerability affects all Linux kernel versions with the vulnerable code path in net/ipv4/route.c, specifically impacting ARM64 architectures where strict alignment requirements for Load-Acquire instructions are enforced. An attacker with local access or ability to trigger multipath hash operations could cause a denial of service by crashing the kernel, though no active exploitation has been reported in the wild.
A preempt count leak exists in the Linux kernel's i40e network driver within the napi poll tracepoint implementation, where get_cpu() is called without a corresponding put_cpu() to restore the preempt count. This affects all Linux kernel versions containing the vulnerable i40e driver code and can cause kernel accounting errors and potential system instability when the tracepoint is enabled. The vulnerability has no known active exploitation or public proof-of-concept code, and while not formally scored with CVSS, it represents a moderate kernel reliability issue that has persisted undetected for over three years.
A logic error in the Linux kernel's bonding driver allows an unprivileged user to change the xmit_hash_policy parameter to an incompatible value (vlan+srcmac) while an XDP program is loaded, creating an inconsistent state where the kernel cannot safely unload the XDP program during device shutdown. This triggers a kernel warning and potential instability when the bond interface is destroyed. The vulnerability affects Linux kernel versions across multiple stable branches and requires local access to trigger.
A warning trace vulnerability exists in the Linux kernel's pinctrl equilibrium driver where the eqbr_irq_mask_ack() callback function incorrectly calls both eqbr_irq_mask() and eqbr_irq_ack(), causing gpiochip_disable_irq() to be invoked twice and generating spurious kernel warnings on every GPIO during driver load. All Linux kernel versions with the affected equilibrium pinctrl driver are impacted, though this is primarily a kernel stability and logging issue rather than a security vulnerability. The issue has been resolved in multiple stable kernel branches as evidenced by the five stable commit hashes referenced, indicating patches are available.
The Linux kernel contains a memory allocation failure vulnerability in the ASoC SDCA (Serial Data Center Audio) subsystem where the find_sdca_entity_iot() function allocates memory for an Entity name but fails to validate whether the allocation succeeded. An attacker with local access could trigger memory allocation failure conditions to cause an information disclosure or denial of service, depending on how the unvalidated null pointer is subsequently used. No CVSS score, EPSS data, or KEV status is currently available for this vulnerability.
A credential reference leak exists in the Linux kernel's nfsd (NFS daemon) subsystem, specifically in the nfsd_nl_threads_set_doit() function which handles netlink-based thread configuration. The vulnerability affects all Linux kernel versions containing the vulnerable nfsd code path, allowing local users with netlink access to trigger memory leaks of credential structures through repeated invocations of the affected function. While not directly exploitable for privilege escalation or data theft, the memory leak can lead to denial of service through resource exhaustion and enables information disclosure via leaked kernel memory structures.
A deadlock vulnerability exists in the Linux kernel's AMD XDNA accelerator driver (accel/amdxdna) that occurs when an application issues a query IOCTL while the device is undergoing auto-suspend. The vulnerability affects all Linux distributions shipping the vulnerable kernel code. An attacker with local access to the system can trigger this deadlock by issuing query IOCTLs concurrently with power management events, causing a complete hang of the AMD XDNA accelerator subsystem and denial of service to legitimate applications. This vulnerability is not listed in the CISA KEV catalog and no public exploit code has been identified, but the fix has been integrated into the stable Linux kernel.
A null-pointer dereference vulnerability exists in the Linux kernel's DRBD (Distributed Replicated Block Device) subsystem when handling local read errors. When a READ_COMPLETED_WITH_ERROR event occurs in drbd_request_endio(), a NULL peer_device pointer is passed to the __req_mod() function, which then unconditionally dereferences it in drbd_set_out_of_sync(), causing a kernel panic or system crash. This affects all Linux kernel versions with the vulnerable DRBD code, and while not actively exploited in the wild, it can be triggered by a local user or administrator through normal disk I/O error conditions, resulting in denial of service.
A PM runtime reference leak exists in the Linux kernel's fp9931 regulator driver hwmon interface, where the pm_runtime_put_autosuspend() function fails to be called when regmap_read() encounters an error, causing the power management reference count to become unbalanced. This affects all Linux kernel versions with the vulnerable fp9931 driver code. While not directly exploitable for code execution, the reference leak can lead to device power management failures, potential denial of service through resource exhaustion, or unexpected device behavior in systems using the FP9931 regulator hardware.
An authorization flaw in macOS Tahoe allows applications to bypass access controls and retrieve protected user data due to improper state management during permission checks. Apple has addressed this vulnerability in macOS Tahoe 26.4, and all versions prior to 26.4 remain vulnerable. Affected users should prioritize upgrading to the patched version to prevent unauthorized data access by malicious or compromised applications.
Xcode versions prior to 26.4 contain an out-of-bounds read vulnerability that can be triggered by local users with user interaction to cause unexpected application or system termination. This denial-of-service condition affects developers and build systems using vulnerable Xcode installations. No patch is currently available.
A privacy vulnerability in macOS Tahoe allows applications to access sensitive user data that should have been protected through proper data isolation. The vulnerability affects macOS versions prior to 26.4, where sensitive data was not adequately segregated from application access. An attacker or malicious application could exploit this flaw to read protected user information without proper authorization, representing a direct information disclosure risk.
An authorization bypass vulnerability in Apple's operating systems allows third-party applications to access sensitive user data through improper state management during authorization checks. The vulnerability affects iOS/iPadOS 26.4 and earlier, macOS Sequoia 15.7.5 and earlier, macOS Tahoe 26.4 and earlier, visionOS 26.4 and earlier, and watchOS 26.4 and earlier across multiple Apple devices and platforms. An attacker can exploit this by crafting a malicious application that circumvents authorization controls to read protected user information without explicit user consent. No CVSS score, EPSS probability, or active exploitation status has been disclosed by Apple, though the vulnerability spans all major Apple operating systems indicating broad platform impact.
An information leakage vulnerability affecting Apple's operating systems across multiple platforms (iOS, iPadOS, macOS, tvOS, visionOS, and watchOS) allows third-party applications to access sensitive user data through insufficient validation mechanisms. The vulnerability impacts all versions prior to the 26.4 release across affected platforms, enabling malicious or compromised applications to bypass access controls and exfiltrate private user information. While no CVSS score, EPSS data, or active exploitation in the wild has been publicly disclosed, the breadth of affected platforms and the fundamental nature of information disclosure vulnerabilities suggest moderate to significant real-world risk.
An authorization bypass vulnerability in macOS allows applications to access sensitive user data through improper state management. The vulnerability affects macOS Sonoma 14.8.4 and earlier versions, as well as macOS Tahoe 26.3 and earlier, enabling unprivileged apps to circumvent authorization checks and obtain restricted user information. Apple has addressed this issue through patched releases, and no public exploitation activity or proof-of-concept code has been reported at this time.
A memory management vulnerability in the Linux kernel's netfilter nf_tables subsystem can be triggered through fault injection during set flush operations, causing a kernel warning splat when memory allocation fails under GFP_KERNEL conditions. This vulnerability affects Linux kernel versions across distributions and is exploitable by local attackers with network namespace capabilities, potentially leading to kernel warnings and denial of service through memory exhaustion attacks. While no CVSS score or active exploitation in the wild has been reported, the vulnerability was discovered through syzbot fuzzing with fault injection, indicating it requires specific conditions to trigger but represents a real kernel stability issue that has been patched.
A kernel stack memory leak exists in the Linux kernel's RDMA/ionic driver within the ionic_create_cq() function, where uninitialized stack memory is copied to userspace via the ionic_cq_resp structure. An unprivileged local attacker with access to RDMA/ionic devices can trigger this vulnerability to leak up to 11 bytes of sensitive kernel stack data, potentially revealing kernel addresses, cryptographic material, or other sensitive information useful for further exploitation. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog, and no public proof-of-concept has been disclosed; however, patches are available across multiple stable kernel branches.
A resource management vulnerability exists in the Linux kernel's nvmet-fcloop NVMe-FC loopback driver where the lsrsp (LS response) callback is invoked without proper validation of the remote port state, potentially leading to use-after-free or double-free conditions. This affects Linux kernel implementations using nvmet-fcloop for NVMe-FC transport emulation across all versions prior to the patch commits (f30b95159a53e72529a9ca1667f11cd1970240a7, 31d3817bcd9e192b30abe3cf4b68f69d48864dd2, dd677d0598387ea623820ab2bd0e029c377445a3). An attacker with local kernel-level access or ability to trigger abnormal nvmet-fcloop state transitions could potentially cause information disclosure or denial of service through memory corruption.
A NULL pointer dereference vulnerability exists in the Linux kernel's DRM client subsystem within the drm_client_modeset_probe function. When memory allocation for the 'modes' variable fails via kcalloc, the error handling path incorrectly attempts to destroy a NULL pointer, leading to a kernel panic or denial of service. This affects all Linux kernel versions containing this vulnerable code path in the DRM display driver subsystem.
A use-of-uninitialized-variable vulnerability exists in the Linux kernel's AMD GPU (drm/amdgpu) driver, specifically in the slot reset error handling path. When device recovery fails after a slot reset is called, the code branches to error handling logic that references an uninitialized hive pointer and accesses an uninitialized list, potentially leading to information disclosure or system instability. This affects Linux kernel versions across multiple stable branches, with patches available in the referenced commits.
A NULL pointer dereference vulnerability exists in the Linux kernel's HID pidff (PID force feedback) driver due to incomplete clearing of conditional effect bits from the ffbit field. This affects all Linux kernel versions using the vulnerable pidff driver code. An attacker with local access to a system with a connected force feedback HID device could trigger a kernel panic, causing a denial of service. No CVSS score, EPSS score, or active KEV status is currently available, but three stable kernel commits addressing this issue have been merged, indicating the vulnerability has been formally patched.
A memory access protection bypass vulnerability exists in the Linux kernel's ARM64 ioremap_prot() function where user-space page protection attributes are improperly propagated to kernel-space I/O remapping, bypassing Privileged Access Never (PAN) protections and enabling information disclosure. This affects all Linux kernel versions on ARM64 systems with PAN enabled. An attacker with local access can trigger memory access faults and potentially read sensitive kernel memory through operations like accessing /proc/[pid]/environ on vulnerable systems.
A memory protection vulnerability exists in the Linux kernel's ARM64 Guarded Control Stack (GCS) implementation when FEAT_LPA2 (52-bit virtual addressing) is enabled. The vulnerability occurs because GCS page table entries incorrectly use the PTE_SHARED bits (0b11) in positions that are repurposed for high-order address bits when LPA2 is active, causing page table corruption and kernel panics during GCS memory operations. This affects all Linux kernel versions with GCS support on ARM64 systems with LPA2 enabled, and while no active exploitation or public POC has been reported, the vulnerability causes immediate kernel crashes when GCS is enabled on affected hardware configurations.
A NULL pointer dereference vulnerability exists in the Linux kernel's intel_pstate CPU frequency scaling driver that crashes the system when turbo boost is disabled on systems with CPU count limitations. This affects Linux kernel versions across multiple releases where the system is booted with 'nosmt' or 'maxcpus' kernel parameters and a user or administrator attempts to disable turbo via sysfs. An unprivileged local attacker with write access to /sys/devices/system/cpu/intel_pstate/no_turbo can trigger a kernel panic, resulting in denial of service. The vulnerability has been patched and fixes are available across multiple stable kernel branches.
A resource management vulnerability in the Linux kernel UDP implementation causes improper handling of socket state during disconnect operations. When a UDP socket is bound to a wildcard address, connected to a remote peer, and then disconnected, the kernel fails to properly remove the socket from the 4-tuple hash table, leaving stale entries that can lead to information disclosure or denial of service conditions. All Linux kernel versions using the affected UDP code path are impacted, with patches available through the Linux kernel stable tree.
A memory leak vulnerability exists in the Linux kernel's NFC (Near Field Communication) NCI subsystem where pending data exchange operations are not properly completed when a device is closed, causing socket references to be held indefinitely. This affects all Linux kernel versions with the vulnerable NFC NCI code path. An attacker with local access to NFC functionality could trigger repeated device close operations to exhaust memory resources, leading to denial of service. While no CVSS score or EPSS data is currently available, the issue is being actively addressed through kernel patches as evidenced by multiple commit references.
A null pointer dereference vulnerability exists in the Linux kernel's libie firmware logging module where the libie_fwlog_deinit() function attempts to unroll firmware logging structures even when logging was never properly initialized, causing kernel panics during driver unload. This affects the ixgbe driver and potentially other devices using the libie_fwlog module across multiple Linux kernel versions. An unprivileged local attacker with module unload capabilities can trigger a denial of service by unloading the affected driver, as demonstrated through rmmod operations in recovery mode.
A device node reference leak exists in the Linux kernel's bq257xx regulator driver within the bq257xx_reg_dt_parse_gpio() function. When the function fails to retrieve a subchild device node, it returns prematurely without properly releasing the reference via of_node_put(child), causing a memory leak. This affects all Linux kernel versions containing this vulnerable code path in the bq257xx regulator driver, and while not directly exploitable for code execution, the memory leak can be triggered repeatedly to degrade system stability and availability.
A lockdep-detected invalid wait context vulnerability exists in the Linux kernel's performance event scheduling subsystem, specifically in the ctx_sched_in() function when handling pinned events. The vulnerability affects all Linux kernel versions (cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*) and arises when the kernel attempts to acquire a wait-queue lock while already holding a perf-context lock, violating lock ordering rules and potentially causing system hangs or crashes. This is a kernel-level synchronization bug that can be triggered by unprivileged users with access to perf event tracing capabilities, though active exploitation in the wild has not been documented.
This vulnerability is a memory leak in the Linux kernel's Bluetooth subsystem where Socket Buffers (SKBs) queued into the sk_error_queue for TX timestamping are not properly purged during socket destruction, allowing sensitive timestamp data to persist in kernel memory. The vulnerability affects all Linux kernel versions that support Bluetooth with SO_TIMESTAMPING enabled (cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*). An attacker with local access could potentially read leaked kernel memory contents including timestamp information that should have been cleaned up, or trigger the leak by unexpectedly removing the Bluetooth controller while timestamped packets remain queued.
An uninitialized variable vulnerability exists in the Linux kernel's SMB2 client implementation within the smb2_unlink() function, where failure of SMB2_open_init() or SMB2_close_init() operations (such as during reconnection) leaves iovs structures uninitialized. If subsequent cleanup functions like SMB2_open_free(), SMB2_close_free(), or smb2_set_related() attempt to operate on these uninitialized structures, the kernel will oops (crash), resulting in a denial of service condition affecting all Linux distributions and versions using affected kernel code.
This vulnerability involves improper handling of symbolic links (symlinks) in macOS, which could allow an application to access sensitive user data without proper authorization. The issue affects multiple macOS versions including Sequoia 15.7.5, Sonoma 14.8.5, and Tahoe 26.4, representing an information disclosure vulnerability with potential impact on user privacy. Apple has released patches to address the symlink handling deficiency, though specific attack complexity and exploitation metrics are not publicly detailed.
An authorization flaw in macOS allows applications to bypass state management controls and access sensitive user data without proper authorization. The vulnerability affects macOS Sequoia 15.7.4 and earlier, macOS Sonoma 14.8.4 and earlier, and macOS Tahoe 26.3 and earlier. While no CVSS score, EPSS data, or public exploit code is currently available, Apple has silently patched this issue across three major macOS versions, suggesting it posed a meaningful risk to user privacy and data confidentiality.