Authentication bypass in MinIO RELEASE.2023-05-18T00-05-36Z through RELEASE.2026-04-11T03-20-12Z allows remote unauthenticated attackers to write arbitrary objects to any bucket by exploiting an unvalidated auth type in the Snowball auto-extract handler. Attackers need only a valid access key (including the default 'minioadmin') and can fabricate signatures without knowing the secret key. CVSS 8.8 reflects network-accessible, low-complexity exploitation with no authentication required (CVSS:4.0 PR:N). No public exploit identified at time of analysis, but exploitation requires only basic S3 API knowledge. Patched in RELEASE.2026-04-11T03-20-12Z per vendor advisory GHSA-9c4q-hq6p-c237.
Remote code execution in InstructLab affects Red Hat Enterprise Linux AI 3 when users download or train models from HuggingFace Hub. The linux_train.py script hardcodes trust_remote_code=True, allowing attackers to execute arbitrary Python code by hosting malicious models on HuggingFace and convincing users to run ilab train, download, or generate commands. This configuration weakness enables complete system compromise through social engineering attacks. CVSS 8.8 with network vector but requires user interaction, reducing automatic exploitation risk. No active exploitation (CISA KEV) or public POC identified at time of analysis.
Authentication bypass in MinIO object storage allows remote attackers to write arbitrary objects to any bucket using only a valid access key, without the corresponding secret key or cryptographic signature. The vulnerability affects MinIO RELEASE.2023-05-18T00-05-36Z through RELEASE.2026-04-11T03-20-12Z. Attackers can impersonate any user with WRITE permissions by exploiting a logic flaw in the STREAMING-UNSIGNED-PAYLOAD-TRAILER code path that incorrectly validates credentials from query parameters while bypassing signature verification. Vendor-released patch available in RELEASE.2026-04-11T03-20-12Z (GitHub commit 76913a9f). No public exploit identified at time of analysis, but exploitation requires only knowledge of a valid access key and target bucket name.
Session fixation in pyLoad 0.5.0b3.dev97 and earlier allows authenticated users to retain revoked administrative privileges until logout. After an administrator demotes a user's role or revokes permissions, the affected user's active session continues to operate with the old cached privileges, enabling unauthorized administrative actions. Publicly available exploit code exists via GitHub commit e95804fb0d06cbb07d2ba380fc494d9ff89b68c1. With CVSS 8.8 (High) but requiring low-privilege authentication (PR:L), this represents an elevation-of-privilege vector in multi-user pyLoad deployments where role changes are expected to take immediate effect.
Race condition in Linux kernel ext4 filesystem allows denial of service through kernel panic when fast commit feature processes incompletely initialized journal inodes. Affects Linux kernel versions from 3.11 through multiple stable branches (5.10.x, 5.15.x, 6.1.x, 6.6.x, 6.12.x, 6.18.x, 6.19.x) prior to patched versions released in early 2025. Vendor patches available across all affected stable branches. EPSS score of 0.02% (7th percentile) indicates low observed exploitation probability. Not listed in CISA KEV, and no public exploit code identified at time of analysis. CVSS 8.8 reflects authenticated network attack vector, though real-world risk limited to systems where attackers have filesystem write access and ext4 fast commit is enabled.
Read retry logic in the Linux kernel's netfs subsystem can incorrectly abandon all remaining subrequests due to an uninitialized or invalid pointer, potentially exposing unintended memory contents or causing denial of service through kernel crashes. Affects Linux kernel 6.12 through early 6.19 and 7.0 development branches. Vendor patches available for 6.18.21, 6.19.11, and mainline 7.0. EPSS score of 0.02% (4th percentile) indicates low real-world exploitation probability. Not listed in CISA KEV. CVSS 8.8 reflects network attack vector with user interaction required.
Out-of-bounds write in Linux kernel ksmbd allows authenticated remote attackers to cause memory corruption via crafted SMB2 compound requests combining QUERY_DIRECTORY and QUERY_INFO commands. The vulnerability arises when get_file_all_info() fails to validate OutputBufferLength against available buffer space before converting filenames to UTF-16, enabling buffer overflow beyond response buffer boundaries. With CVSS 8.8 (High) and network attack vector requiring only low privileges, this presents significant risk to systems running ksmbd SMB server. Vendor patches available across multiple kernel versions (5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, 7.0). EPSS exploitation probability remains low at 0.01% (2nd percentile), and no public exploit or CISA KEV listing identified at time of analysis.
Out-of-bounds write in Linux kernel's ksmbd server allows authenticated remote attackers with low-privilege SMB access to corrupt memory and potentially execute arbitrary code or crash the system. The vulnerability triggers when processing compound SMB2 requests (e.g., READ + QUERY_INFO for security descriptors) where the first command consumes most of the response buffer, causing ksmbd to write beyond allocated memory when building security descriptors from POSIX ACLs. Vendor patches are available for kernel versions 6.12.81, 6.18.22, 6.19.12, and 7.0. EPSS score of 0.01% suggests low observed exploitation probability, and no public exploit code or active exploitation has been identified at time of analysis.
Denial of service in @xmldom/xmldom Node.js XML library allows remote attackers to crash applications via deeply nested XML documents. Seven DOM traversal methods (normalize, serializeToString, getElementsByTagName, cloneNode, importNode, textContent getter, isEqualNode) implement unbounded recursion consuming call stack frames until RangeError exception terminates the process. Exploitation requires no authentication - attackers send a single valid XML payload nested ~5,000-10,000 levels deep to trigger stack exhaustion in any subsequent DOM operation. Browser implementations of identical DOM methods use iterative C++ code and are unaffected. CVSS 8.7 High severity reflects network attack vector with no complexity barriers. Vendor-released patches (0.8.13, 0.9.10) replace all recursive traversals with iterative 'walkDOM' utility consuming heap instead of stack. Legacy unscoped 'xmldom' package (≤0.6.0) remains unfixed.
{ requireWellFormed: true } to maintain backward compatibility with W3C spec defaults; existing code remains vulnerable unless explicitly migrated.
Authentication bypass in Fullstep V5 registration process enables unauthenticated remote attackers to obtain valid JWT tokens for accessing protected API resources without credentials. CVSS v4.0 score of 8.7 reflects the severity of network-accessible authentication bypass with high confidentiality impact. Vendor patch is available through INCIBE coordination. No evidence of active exploitation (not in CISA KEV) or public exploit code at time of analysis, though the vulnerability's low complexity (AC:L) and lack of required authentication (PR:N) make it readily exploitable once discovered.
{requireWellFormed: true} to serializeToString() to enable validation guards; default behavior remains vulnerable to preserve backward compatibility with DOM Parsing spec.
XML node injection in @xmldom/xmldom allows remote unauthenticated attackers to inject arbitrary XML elements by embedding the processing instruction closing delimiter `?>` in PI data. The serializer emits attacker-controlled data verbatim without escaping or validation, causing the remainder of the payload to be interpreted as active XML markup. Publicly available exploit code exists (GitHub PoC from April 2026). EPSS data not provided; CVSS 8.7 reflects high integrity impact (VI:H) with network vector and no authentication required. Patch available in versions 0.8.13+ and 0.9.10+ but requires opt-in `requireWellFormed: true` flag - default behavior remains vulnerable for backward compatibility.
Remote unauthenticated denial of service affects facil.io (all versions prior to commit 5128747) and iodine (all versions before 0.7.59) through malformed JSON input triggering infinite CPU loop. Attackers can send crafted JSON payloads as small as two bytes ('[i') to the `fio_json_parse` function, causing the process to consume 100% of a CPU core indefinitely without crashing or returning an error. This vulnerability allows trivial resource exhaustion against any web service using these frameworks to parse untrusted JSON. EPSS data not available; no confirmed active exploitation (CISA KEV absent), but the attack requires only network access with no authentication and minimal complexity (CVSS AV:N/AC:L/PR:N), making exploitation straightforward once discovered.
Privilege escalation in WeKan (versions prior to 8.35) allows authenticated board members with low privileges to perform administrative integration management without authorization checks. Attackers can enumerate webhook URLs and secrets, create/modify/delete integrations, and manipulate integration activities through unprotected REST API endpoints. CVSS 8.7 reflects high confidentiality and integrity impact with network attack vector and low complexity. VulnCheck reported this vulnerability with vendor patch available in version 8.35 and commit 2cd702f. EPSS data not available; no confirmed active exploitation or POC identified at time of analysis.
HTTP response splitting and denial-of-service in i18next-http-middleware < 3.9.3 allows remote unauthenticated attackers to inject arbitrary HTTP headers or crash Node.js processes via CRLF sequences in the lng parameter. On Node.js < 14.6.0, attackers achieve response splitting enabling session fixation, cache poisoning, and reflected XSS. On Node.js ≥ 14.6.0, malformed headers trigger unhandled ERR_INVALID_CHAR exceptions, returning 500 errors to all concurrent users sharing the affected process. Vendor-released patch available in version 3.9.3. No public exploit identified at time of analysis, though exploitation is trivial given the attack vector (simple query parameter manipulation).
Server-Side Request Forgery in guardsix (formerly Logpoint) ODBC Enrichment Plugins allows authenticated Operator users to redirect stored database credentials to arbitrary internal systems by modifying connection endpoints without clearing cached credentials. The vulnerability affects versions before 5.2.1 and enables credential misuse against unintended internal databases despite Changed Scope (CVSS S:C) indicating potential cross-boundary impact. EPSS and exploitation data not available; SSVC indicates no known exploitation, non-automatable attack requiring low-privilege authentication, with partial technical impact to confidentiality and integrity.
Local privilege escalation in pcvisit Remote Host Modul on Windows allows low-privileged users to gain NT AUTHORITY\SYSTEM by overwriting the service binary with malicious code that executes automatically at boot. All versions after 22.6.22.1329 through 25.12.3.1745 are affected due to weak file permissions (CWE-276). Vendor patched in version 25.12.3.1745 per advisory. EPSS and KEV status unknown, but vulnerability is trivial to exploit (CVSS AV:L/AC:L/PR:L) with maximum local impact (8.5 High).
Local privilege escalation in FreeBSD 13.5 through 15.0 allows unprivileged processes to gain root privileges by exploiting a use-after-free condition in the TIOCNOTTY ioctl implementation. When a process detaches from its controlling terminal and exits, a dangling pointer in the terminal structure references freed session memory, which attackers can manipulate to escalate privileges. This vulnerability affects multiple stable and release branches with CVSS 8.4 (High) but low EPSS probability (0.02%, 5th percentile), indicating theoretical severity without observed widespread exploitation. Not listed in CISA KEV, suggesting no confirmed active exploitation at time of analysis.
All four notification target admin API endpoints in `rustfs/src/admin/handlers/event.rs` use a `check_permissions` helper that validates authentication only (access key + session token), without performing any admin-action authorization via `validate_admin_request`. Every other admin handler in the codebase correctly calls `validate_admin_request` with a specific `AdminAction`. This is the only admin handler file that skips authorization. A non-admin user can overwrite a shared admin-defined notification target by name, causing subsequent bucket events to be delivered to an attacker-controlled endpoint. This enables cross-user event interception and audit evasion. 1. **Authorization bypass on all four endpoints** (03_readonly_user_bypass.py) - PUT, GET list, GET arns, DELETE all return 200 for readonly-user - Control routes (list-users, kms/status) correctly return 403 - Unauthenticated requests correctly rejected (403 Signature required) 2. **SSRF via health probe** (04_ssrf_listener_landing.py) - HEAD request from rustfs container to attacker-controlled listener - No host validation: only scheme check (http/https) 3. **Target hijacking and event exfiltration** (05_target_hijacking.py, 06_full_event_exfil.py) - Readonly-user overwrites admin-configured target URL by name - Subsequent S3 events delivered to attacker-controlled endpoint - Captured event body includes object keys, bucket names, user identities, and request metadata 4. **Audit evasion** (05_target_hijacking.py) - Readonly-user can delete unbound targets - Readonly-user can overwrite bound targets (silently redirecting events) 1. **Self-referencing webhook to admin API** (13_self_referencing_test.py) - Webhook sends unsigned POST with event JSON body - Admin endpoints require SigV4 auth -- unsigned request rejected - "Confused deputy" via self-referencing does NOT work 2. **Protocol smuggling via non-HTTP targets** - Only 2 target types implemented: webhook and MQTT (`event.rs:613` enforces this) - No Redis, Kafka, AMQP, or other protocol targets exist - CRLF injection in webhook config fields sanitized by reqwest - MQTT uses rumqttc (pure Rust binary protocol client), no raw TCP injection 3. **MQTT target for RCE** - No unsafe code in MQTT handler - rumqttc 0.29.0 has no known public CVEs - No Command::new, template engines, or deserialization of broker responses 4. **Unauth access** - Endpoints correctly reject unauthenticated requests (403) - Endpoints correctly reject invalid credentials (403) No existing advisory covers notification target endpoints. 11 published GHSAs on rustfs/rustfs cover different handlers. Closest: - CVE-2026-22042 (ImportIam wrong action constant) -- same bug class, different file - CVE-2026-22043 (deny_only short-circuit) -- different bug class Submit via GitHub PVR. The finding is well-supported with live PoC, code references, and clear root cause. The fix is straightforward (add `validate_admin_request` calls to event.rs handlers). Core submission should reference 2-3 focused PoC scripts (readonly bypass, target hijack, event exfil), not the full set of 13 exploratory scripts. Koda Reef This issue has been patched in version https://github.com/rustfs/rustfs/releases/tag/1.0.0-alpha.94.
Server-side request forgery in monetr's Lunch Flow integration allows authenticated users on self-hosted instances to force the server to issue HTTP GET requests to arbitrary URLs, with response bodies from failed requests reflected in API error messages. This enables information disclosure attacks against internal networks, cloud metadata endpoints (AWS EC2 instance metadata without IMDSv2), and RFC1918 private addresses. The vulnerability is compounded by unbounded response buffering that creates a denial-of-service vector via memory exhaustion. Patch available in v1.12.5. The hosted my.monetr.app service is not affected as Lunch Flow is disabled there. Self-hosted instances with default configuration (Lunch Flow enabled, public signup allowed) are at highest risk.
GitLab CE/EE 18.11 before 18.11.1 allows authenticated users to bypass access controls and read titles of confidential or private issues in public projects through improper validation in the issue description rendering process. The vulnerability requires valid user credentials but no elevated privileges, affecting the confidentiality of issue metadata that should be restricted. Publicly available exploit code exists, and a vendor patch is available.
SQL injection in Daptin's `/aggregate/:typename` endpoint allows authenticated low-privilege users to extract arbitrary database content via unsanitized query parameters. The `column` and `group` parameters are passed directly to raw SQL literal expressions without validation, enabling data exfiltration from any table including user credentials, database schema disclosure, and cross-table correlation attacks. Patched in version 0.11.4 which replaces all raw SQL construction with parameterized queries and schema-based validation. No evidence of active exploitation or public POC at time of analysis, though exploitation is straightforward for authenticated users.
Concurrent DAAP login requests crash OwnTone Server 28.4-29.0 via race condition in session list handling, causing remote denial of service without authentication. Attack complexity is high (CVSS AC:H) but requires no privileges, enabling unauthenticated attackers to flood the /login endpoint and trigger crashes through unsynchronized global state access. Vendor patch available via GitHub commit dca94641; no active exploitation confirmed at time of analysis.
Remote unauthenticated denial-of-service in Linux kernel's ksmbd SMB server allows attackers to terminate arbitrary active user sessions by sending crafted multichannel binding requests with invalid credentials. The flaw affects ksmbd (kernel-mode SMB server) across multiple stable kernel branches (6.1.x through 7.0). Vendor patches available for all affected versions. EPSS score of 0.08% (23rd percentile) indicates low observed exploitation likelihood, with no CISA KEV listing or public POC identified at time of analysis. The CVSS 8.2 rating reflects network-accessible attack surface with high availability impact, though actual exploitation requires specific SMB multichannel configuration.
Remote code execution in Progress Telerik UI for ASP.NET AJAX via insecure deserialization in the RadFilter control allows unauthenticated remote attackers to execute arbitrary code on the server by tampering with exposed client-side filter state. Affected versions span 2024.4.1114 through 2026.1.421. EPSS data not available; no public exploit or CISA KEV listing identified at time of analysis. The CVSS 8.1 (High) reflects network accessibility but 'High' attack complexity (AC:H), indicating successful exploitation requires specific conditions beyond simple network access.
Mass deletion of content, assets, and user accounts in Statamic CMS versions prior to 5.73.20 and 6.13.0 occurs via query parameter manipulation on Control Panel endpoints (requiring minimal authentication like 'view entries' permission) or unauthenticated exploitation through REST/GraphQL APIs if explicitly enabled without authentication. Authenticated attackers with low-privilege viewer roles can escalate to delete resources they should only read. Unauthenticated attackers can exploit misconfigured API endpoints (non-default configuration) to achieve the same destructive impact. CVSS 8.1 (High) reflects network-accessible attack with low complexity, though exploitation conditions vary significantly by deployment configuration. No active exploitation confirmed (not in CISA KEV), EPSS data not provided.
Stack-based buffer overflow in Dell PowerProtect Data Domain DD OS allows remote unauthenticated attackers to execute arbitrary commands on vulnerable appliances. Affects Feature Release versions 7.7.1.0-8.6, LTS2025 (8.3.1.0-8.3.1.10), and LTS2024 (7.13.1.0-7.13.1.60). Despite network-accessible attack vector (AV:N/PR:N), high attack complexity (AC:H) indicates specialized exploit conditions. CISA SSVC framework rates exploitation as 'none' and automatable as 'no', suggesting manual, targeted exploitation rather than mass scanning. No active exploitation confirmed at time of analysis. Dell has released patches across all affected release tracks (DSA-2026-060).
Stack-based buffer overflow in rust-openssl's MdCtxRef::digest_final() allows safe Rust code to corrupt memory when EVP_DigestFinal() writes beyond the provided output buffer boundary. The vulnerability occurs when the output buffer is smaller than EVP_MD_CTX_size(ctx), causing EVP_DigestFinal() to write past the buffer end and corrupt stack memory. Vendor-released patch available in version 0.10.78 via GitHub commit 826c3888. No public exploit identified at time of analysis, but exploitable from memory-safe Rust code paths, violating Rust's safety guarantees.
Out-of-bounds memory access in Linux kernel's IBM Virtual Fibre Channel (ibmvfc) driver allows adjacent network attackers to leak kernel memory contents. A compromised or malicious VIO server can supply a crafted num_written value exceeding max_targets in discover targets MAD responses, causing unbounded indexing into disc_buf[] and embedding out-of-bounds kernel data in subsequent PLOGI and Implicit Logout MADs sent back to the attacker. Vendor patches available across all maintained kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, 7.0). EPSS score of 0.02% (7th percentile) indicates low observed exploitation probability. No public exploit code or CISA KEV listing identified at time of analysis.
Buffer over-read in Linux kernel Bluetooth L2CAP allows adjacent network attackers to disclose sensitive kernel memory and crash systems via malformed Enhanced Credit Based Connection Requests. Affects multiple stable kernel versions (6.12.x, 6.18.x, 6.19.x). Vendor patches available for all affected branches. EPSS score of 0.02% indicates low observed exploitation probability despite the network-adjacent attack vector and lack of required authentication. No public exploit identified at time of analysis.
Authentication bypass via user impersonation affects Spring Security 7.0.0 through 7.0.4, where the SubjectX500PrincipalExtractor mishandles malformed CN values in X.509 client certificates and extracts the wrong username. Authenticated attackers presenting a carefully crafted certificate can be authenticated as a different (potentially higher-privileged) user. No public exploit identified at time of analysis; EPSS is very low (0.02%) and CISA SSVC marks exploitation as none.
Out-of-bounds write in the Linux kernel macb Ethernet driver allows local authenticated users with low privileges to corrupt kernel memory, potentially leading to privilege escalation, denial of service, or information disclosure. The vulnerability affects the ethtool statistics collection path where gem_get_ethtool_stats() writes statistics for MACB_MAX_QUEUES regardless of the actual number of active queues, causing a 760-byte buffer overflow when fewer queues are configured. KASAN validation confirms heap corruption with a write beyond allocated vmalloc region boundaries. No active exploitation confirmed (not in CISA KEV), and EPSS score is low (0.03%, 10th percentile), indicating minimal observed exploitation activity. Patches available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, 7.0).
Use-after-free in Linux kernel Open vSwitch module causes system crash when deleting network interfaces on PREEMPT_RT kernels. The vulnerability is confirmed patched in multiple stable kernel versions (5.10.253, 5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, 7.0) with upstream fixes available via kernel.org commits. EPSS score of 0.02% (7th percentile) indicates very low exploitation likelihood. No active exploitation confirmed (not in CISA KEV). Local authenticated access required (CVSS AV:L/PR:L) with high impact (CVSS 7.8), but exploitation depends on PREEMPT_RT kernel configuration and specific Open vSwitch teardown race conditions.
Double-free vulnerability in Linux kernel SMC (Shared Memory Communications) splice handling allows local authenticated attackers to trigger use-after-free conditions and kernel panic. The flaw occurs when tee(2) duplicates an SMC pipe buffer: both the original and cloned pipe_buffer share the same smc_spd_priv pointer, causing smc_rx_pipe_buf_release() to free the same memory twice on pipe cleanup. This escalates from KASAN-detected slab-use-after-free to NULL pointer dereference in smc_rx_update_consumer(), resulting in denial of service via kernel crash. Vendor patches available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, 7.0). EPSS exploitation probability is low (0.02%, 7th percentile) with no public exploit or CISA KEV listing at time of analysis.
Use-after-free in Linux kernel packet socket handling allows local attackers with low privileges to achieve kernel memory corruption, potentially leading to privilege escalation, information disclosure, or denial of service. The vulnerability stems from a race condition in packet_release() where NETDEV_UP events can re-register a socket into a fanout group's array after cleanup begins but before the socket number is zeroed, leaving dangling pointers. Patches are available across multiple stable kernel versions (5.10.253, 5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, 7.0). EPSS score is low (0.02%, 7th percentile) and no active exploitation is confirmed (not in CISA KEV), suggesting limited real-world exploitation despite high CVSS 7.8 rating.
Use-after-free in Linux kernel SPI subsystem (fsl_lpspi driver) causes NULL pointer dereference when DMA channels are torn down while SPI transfers are active. Local attackers with low privileges can trigger denial of service or potentially execute arbitrary code on affected systems running Linux kernel versions from 4.10 through 7.0-rc2, particularly impacting embedded and IoT devices using Freescale LPSPI controllers. EPSS score of 0.02% indicates very low observed exploitation probability, and no public exploit code or active exploitation has been identified at time of analysis. Vendor-released patches available across all affected stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, 7.0).
Use-after-free in Linux kernel media subsystem allows local authenticated attackers to potentially execute arbitrary code, escalate privileges, or cause system crashes. The race condition between MEDIA_REQUEST_IOC_REINIT and VIDIOC_REQBUFS(0) affects request-capable V4L2 media devices in kernels since version 4.20. Patches are available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, and 7.0). EPSS score of 0.02% indicates very low likelihood of mass exploitation, and no active exploitation or public POC has been identified.
Use-after-free in Linux kernel virtio_net driver allows local authenticated attackers with low privileges to potentially achieve high confidentiality, integrity, and availability impact. The flaw triggers when virtio_net is configured with napi_tx=N (non-NAPI transmit mode) and the IFF_XMIT_DST_RELEASE flag is cleared by tc route filter rules. When a network namespace is destroyed while packets remain queued in the virtio transmit ring, the freed dst_ops structure is later dereferenced during packet cleanup, causing kernel memory corruption. Vendor patches are available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, 7.0). EPSS score of 0.02% (7th percentile) suggests low probability of mass exploitation, and no active exploitation or public POC has been identified at time of analysis.
Use-after-free in Linux Kernel XFS filesystem allows local authenticated users to execute arbitrary code, escalate privileges, or cause system crashes during filesystem unmount operations. The vulnerability stems from a race condition where background reclaim and inodegc processes continue running while the Active Item List (AIL) is being flushed during unmount, enabling concurrent access to freed memory structures. Patches are available across multiple stable kernel versions (5.10.253, 5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, 7.0). EPSS score of 0.02% suggests very low probability of mass exploitation, and no active exploitation or public POC is identified at time of analysis.
Use-after-free in Linux Kernel XFS file system allows local authenticated users to execute arbitrary code, escalate privileges, or cause denial of service. The vulnerability affects XFS implementations from kernel 5.9 onward due to improper handling of Active Item List (AIL) pointers when performing buffer I/O in inode and quota push callbacks. With EPSS exploitation probability at 0.02% and no confirmed active exploitation, this represents a moderate real-world risk limited by local access requirements and low attack complexity. Patches are available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, and 7.0).
Use-after-free in Linux kernel's XFS filesystem allows local authenticated users to achieve arbitrary code execution, privilege escalation, or information disclosure. The vulnerability occurs in the XFS Active Item List (AIL) push mechanism where log items can be freed by background reclaim processes while still being dereferenced by tracepoints. Vendor patches are available for kernel versions 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, and 7.0. EPSS score of 0.02% (7th percentile) indicates very low observed exploitation probability in the wild, and no public exploit code or active exploitation (CISA KEV) has been identified at time of analysis.
Local privilege escalation in Linux Kernel ext4 filesystem allows authenticated users to trigger kernel crashes and potentially execute arbitrary code with high privileges. The vulnerability stems from improper handling of inline data conversion when truncate() operations exceed inline storage capacity in ext4 filesystems. Affected kernel versions include mainline through 7.0-rc3 and stable branches 5.10.x through 6.19.x, with vendor patches available across all active kernel series. EPSS exploitation probability is very low (0.02%, 7th percentile) and no public exploit identified at time of analysis, though CVSS 7.8 reflects high local impact if exploited.
Linux kernel ext4 filesystem allows mounting of maliciously crafted filesystems with bigalloc and non-zero s_first_data_block, potentially triggering memory corruption or information disclosure. Affects all Linux kernel versions from 2.6.12 (commit 1da177e) through 7.0, with patches released in stable branches 5.10.253, 5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, and 6.19.11. CVSS 7.8 indicates high severity with local access and user interaction required. EPSS score of 0.02% (7th percentile) suggests low probability of widespread exploitation, and no active exploitation confirmed (not in CISA KEV).
Use-after-free in Linux kernel ext4 filesystem allows local attackers to potentially execute arbitrary code or cause denial of service during unmount operations. The vulnerability stems from a race condition between ext4_put_super() teardown and update_super_work() error notification, where sysfs_notify() accesses a freed kernfs_node object after kobject_del() has released it. Fixed in stable kernel releases 5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, and mainline 7.0. EPSS score of 0.02% (7th percentile) suggests low probability of exploitation in the wild, though CVSS vector indicates straightforward local exploitation requiring user interaction.
Use-after-free in Linux kernel CXL (Compute Express Link) subsystem allows local authenticated attackers to corrupt memory and potentially execute arbitrary code or cause kernel panics. The flaw occurs in cxl_detach_ep() during device removal when parent port references are freed prematurely, before child operations complete. Affects Linux kernel 6.3 through 7.0-rc5; patched in versions 6.12.80, 6.18.21, 6.19.11, and 7.0. EPSS score of 0.02% indicates low exploitation probability. No active exploitation or public exploit code identified at time of analysis.
Out-of-bounds memory access in Linux kernel perf subsystem allows local authenticated attackers with low privileges to achieve high confidentiality, integrity, and availability impact. The vulnerability occurs when group_sched_in() fails during performance monitoring event handling and event inheritance uses the wrong PMU (Performance Monitoring Unit) context, leading to improper rollback and memory corruption. Despite high CVSS score (7.8), EPSS probability indicates very low real-world exploitation likelihood (0.02%, 5th percentile). Vendor patches available across multiple stable kernel branches (6.6.131, 6.12.80, 6.18.21, 6.19.11, 7.0) per git.kernel.org commit references.
Use-after-free in Linux Kernel platform driver core allows local authenticated attackers to achieve high-severity impacts including code execution, privilege escalation, or denial of service. The vulnerability stems from unsafe access to the driver_override field during device probing when the bus match() callback executes without device lock protection. Patches are available across multiple kernel branches (6.12.80, 6.18.21, 6.19.11, 7.0) per vendor commits. EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability, and no CISA KEV listing exists, suggesting this remains a theoretical risk rather than actively exploited threat despite the high CVSS 7.8 score.
Signed integer overflow in the Linux kernel's BPF interpreter enables local attackers with low privileges to achieve out-of-bounds memory access and potentially execute arbitrary code. The flaw occurs when the 32-bit signed division/modulo operations handle INT_MIN (0x80000000), causing the abs() macro to trigger undefined behavior that creates a mismatch between the verifier's abstract interpretation and the interpreter's runtime behavior. With an EPSS score of 0.02% and no confirmed active exploitation, the primary risk is to systems where unprivileged users can load BPF programs, though default kernel configurations typically restrict BPF to privileged users. Patches are available across multiple stable kernel branches (6.6.131, 6.12.80, 6.18.21, 6.19.11).
Use-after-free in Linux kernel XFRM subsystem allows local authenticated attackers to achieve arbitrary code execution with high privileges. The vulnerability arises when XFRM policy hash threshold work items (policy_hthresh.work) outlive network namespace teardown, dereferencing freed struct net memory in xfrm_hash_rebuild(). Vendor patches available across multiple stable kernel versions (6.12.80, 6.18.21, 6.19.11, 7.0) confirm the issue affects kernels since commit 880a6fab8f6b. EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability despite CVSS:3.1 score of 7.8; no CISA KEV listing or public POC identified at time of analysis.