Use-after-free in Linux kernel packet socket handling allows local attackers with low privileges to achieve kernel memory corruption, potentially leading to privilege escalation, information disclosure, or denial of service. The vulnerability stems from a race condition in packet_release() where NETDEV_UP events can re-register a socket into a fanout group's array after cleanup begins but before the socket number is zeroed, leaving dangling pointers. Patches are available across multiple stable kernel versions (5.10.253, 5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, 7.0). EPSS score is low (0.02%, 7th percentile) and no active exploitation is confirmed (not in CISA KEV), suggesting limited real-world exploitation despite high CVSS 7.8 rating.
Use-after-free in Linux kernel SPI subsystem (fsl_lpspi driver) causes NULL pointer dereference when DMA channels are torn down while SPI transfers are active. Local attackers with low privileges can trigger denial of service or potentially execute arbitrary code on affected systems running Linux kernel versions from 4.10 through 7.0-rc2, particularly impacting embedded and IoT devices using Freescale LPSPI controllers. EPSS score of 0.02% indicates very low observed exploitation probability, and no public exploit code or active exploitation has been identified at time of analysis. Vendor-released patches available across all affected stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, 7.0).
Use-after-free in Linux kernel media subsystem allows local authenticated attackers to potentially execute arbitrary code, escalate privileges, or cause system crashes. The race condition between MEDIA_REQUEST_IOC_REINIT and VIDIOC_REQBUFS(0) affects request-capable V4L2 media devices in kernels since version 4.20. Patches are available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, and 7.0). EPSS score of 0.02% indicates very low likelihood of mass exploitation, and no active exploitation or public POC has been identified.
Use-after-free in Linux kernel virtio_net driver allows local authenticated attackers with low privileges to potentially achieve high confidentiality, integrity, and availability impact. The flaw triggers when virtio_net is configured with napi_tx=N (non-NAPI transmit mode) and the IFF_XMIT_DST_RELEASE flag is cleared by tc route filter rules. When a network namespace is destroyed while packets remain queued in the virtio transmit ring, the freed dst_ops structure is later dereferenced during packet cleanup, causing kernel memory corruption. Vendor patches are available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, 7.0). EPSS score of 0.02% (7th percentile) suggests low probability of mass exploitation, and no active exploitation or public POC has been identified at time of analysis.
Use-after-free in Linux Kernel XFS filesystem allows local authenticated users to execute arbitrary code, escalate privileges, or cause system crashes during filesystem unmount operations. The vulnerability stems from a race condition where background reclaim and inodegc processes continue running while the Active Item List (AIL) is being flushed during unmount, enabling concurrent access to freed memory structures. Patches are available across multiple stable kernel versions (5.10.253, 5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, 7.0). EPSS score of 0.02% suggests very low probability of mass exploitation, and no active exploitation or public POC is identified at time of analysis.
Use-after-free in Linux Kernel XFS file system allows local authenticated users to execute arbitrary code, escalate privileges, or cause denial of service. The vulnerability affects XFS implementations from kernel 5.9 onward due to improper handling of Active Item List (AIL) pointers when performing buffer I/O in inode and quota push callbacks. With EPSS exploitation probability at 0.02% and no confirmed active exploitation, this represents a moderate real-world risk limited by local access requirements and low attack complexity. Patches are available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, and 7.0).
Use-after-free in Linux kernel's XFS filesystem allows local authenticated users to achieve arbitrary code execution, privilege escalation, or information disclosure. The vulnerability occurs in the XFS Active Item List (AIL) push mechanism where log items can be freed by background reclaim processes while still being dereferenced by tracepoints. Vendor patches are available for kernel versions 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, and 7.0. EPSS score of 0.02% (7th percentile) indicates very low observed exploitation probability in the wild, and no public exploit code or active exploitation (CISA KEV) has been identified at time of analysis.
Local privilege escalation in Linux Kernel ext4 filesystem allows authenticated users to trigger kernel crashes and potentially execute arbitrary code with high privileges. The vulnerability stems from improper handling of inline data conversion when truncate() operations exceed inline storage capacity in ext4 filesystems. Affected kernel versions include mainline through 7.0-rc3 and stable branches 5.10.x through 6.19.x, with vendor patches available across all active kernel series. EPSS exploitation probability is very low (0.02%, 7th percentile) and no public exploit identified at time of analysis, though CVSS 7.8 reflects high local impact if exploited.
Linux kernel ext4 filesystem allows mounting of maliciously crafted filesystems with bigalloc and non-zero s_first_data_block, potentially triggering memory corruption or information disclosure. Affects all Linux kernel versions from 2.6.12 (commit 1da177e) through 7.0, with patches released in stable branches 5.10.253, 5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, and 6.19.11. CVSS 7.8 indicates high severity with local access and user interaction required. EPSS score of 0.02% (7th percentile) suggests low probability of widespread exploitation, and no active exploitation confirmed (not in CISA KEV).
Use-after-free in Linux kernel ext4 filesystem allows local attackers to potentially execute arbitrary code or cause denial of service during unmount operations. The vulnerability stems from a race condition between ext4_put_super() teardown and update_super_work() error notification, where sysfs_notify() accesses a freed kernfs_node object after kobject_del() has released it. Fixed in stable kernel releases 5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, and mainline 7.0. EPSS score of 0.02% (7th percentile) suggests low probability of exploitation in the wild, though CVSS vector indicates straightforward local exploitation requiring user interaction.
Use-after-free in Linux kernel CXL (Compute Express Link) subsystem allows local authenticated attackers to corrupt memory and potentially execute arbitrary code or cause kernel panics. The flaw occurs in cxl_detach_ep() during device removal when parent port references are freed prematurely, before child operations complete. Affects Linux kernel 6.3 through 7.0-rc5; patched in versions 6.12.80, 6.18.21, 6.19.11, and 7.0. EPSS score of 0.02% indicates low exploitation probability. No active exploitation or public exploit code identified at time of analysis.
Out-of-bounds memory access in Linux kernel perf subsystem allows local authenticated attackers with low privileges to achieve high confidentiality, integrity, and availability impact. The vulnerability occurs when group_sched_in() fails during performance monitoring event handling and event inheritance uses the wrong PMU (Performance Monitoring Unit) context, leading to improper rollback and memory corruption. Despite high CVSS score (7.8), EPSS probability indicates very low real-world exploitation likelihood (0.02%, 5th percentile). Vendor patches available across multiple stable kernel branches (6.6.131, 6.12.80, 6.18.21, 6.19.11, 7.0) per git.kernel.org commit references.
Use-after-free in Linux Kernel platform driver core allows local authenticated attackers to achieve high-severity impacts including code execution, privilege escalation, or denial of service. The vulnerability stems from unsafe access to the driver_override field during device probing when the bus match() callback executes without device lock protection. Patches are available across multiple kernel branches (6.12.80, 6.18.21, 6.19.11, 7.0) per vendor commits. EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability, and no CISA KEV listing exists, suggesting this remains a theoretical risk rather than actively exploited threat despite the high CVSS 7.8 score.
Signed integer overflow in the Linux kernel's BPF interpreter enables local attackers with low privileges to achieve out-of-bounds memory access and potentially execute arbitrary code. The flaw occurs when the 32-bit signed division/modulo operations handle INT_MIN (0x80000000), causing the abs() macro to trigger undefined behavior that creates a mismatch between the verifier's abstract interpretation and the interpreter's runtime behavior. With an EPSS score of 0.02% and no confirmed active exploitation, the primary risk is to systems where unprivileged users can load BPF programs, though default kernel configurations typically restrict BPF to privileged users. Patches are available across multiple stable kernel branches (6.6.131, 6.12.80, 6.18.21, 6.19.11).
Use-after-free in Linux kernel XFRM subsystem allows local authenticated attackers to achieve arbitrary code execution with high privileges. The vulnerability arises when XFRM policy hash threshold work items (policy_hthresh.work) outlive network namespace teardown, dereferencing freed struct net memory in xfrm_hash_rebuild(). Vendor patches available across multiple stable kernel versions (6.12.80, 6.18.21, 6.19.11, 7.0) confirm the issue affects kernels since commit 880a6fab8f6b. EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability despite CVSS:3.1 score of 7.8; no CISA KEV listing or public POC identified at time of analysis.
Use-after-free in Linux kernel Bluetooth MGMT subsystem allows local authenticated users to achieve arbitrary code execution, privilege escalation, or denial of service. The vulnerability stems from improper condition checking in mgmt_add_adv_patterns_monitor_complete(), which can leave dangling pointers after freeing memory without unlinking from the list. Patches available across multiple kernel versions (6.12.80, 6.17, 6.18.21, 6.19.11, 7.0). No evidence of active exploitation (not in CISA KEV), low EPSS score (0.02%, 5th percentile) suggests limited attacker interest despite high CVSS severity.
Double-free memory corruption in Linux kernel bcmasp network driver allows local authenticated attackers with low privileges to achieve arbitrary code execution, privilege escalation, or system crash. The vulnerability affects kernel versions 6.6 through early 7.0 release candidates. Vendor patches available across stable branches (6.12.80, 6.18.21, 6.19.11, 7.0). EPSS score of 0.02% (5th percentile) indicates very low real-world exploitation probability, and no active exploitation or public POC has been identified. This represents a low-priority issue for most environments despite the 7.8 CVSS score, as it requires local authenticated access and affects only systems using the specific bcmasp Broadcom network driver.
Out-of-bounds memory write in Linux kernel iavf (Intel Adaptive Virtual Function) driver allows local authenticated attackers with low privileges to achieve high confidentiality, integrity, and availability impact via race condition during concurrent ethtool operations. The vulnerability stems from inconsistent use of queue counters (real_num_tx_queues vs num_active_queues vs num_tx_queues) across ethtool statistics functions, enabling memory corruption when changing network channels via 'ethtool -L' while simultaneously querying statistics with 'ethtool -S'. Patches available for kernel versions 6.12.80, 6.18.21, 6.19.11, and 7.0. EPSS exploitation probability is low (0.02%, 5th percentile) with no public exploit or active exploitation identified at time of analysis.
Type confusion in Linux kernel team driver allows local authenticated users to trigger memory corruption and potential privilege escalation. The team_setup_by_port() function incorrectly copies header_ops from non-Ethernet lower devices (such as GRE interfaces) without proper context validation, causing callbacks like dev_hard_header() to interpret netdev_priv() as the wrong structure type when processing stacked network topologies (e.g., gre → bond → team). While CVSS rates this 7.8 (High), EPSS probability is very low at 0.02% (5th percentile), and no active exploitation or public POC has been identified. Vendor patches are available across multiple stable kernel branches (6.12.80, 6.18.21, 6.19.11, 7.0).
Use-after-free in Linux kernel Bluetooth Intel driver enables local privilege escalation to kernel code execution. Affects Linux kernel 4.3 through 7.0-rc5, with patches available in versions 6.6.131, 6.12.80, 6.18.21, 6.19.11, and 7.0. Exploitation requires local authenticated access with low privileges (CVSS PR:L). EPSS score of 0.02% (5th percentile) indicates low probability of widespread exploitation. No public exploit code or active exploitation confirmed at time of analysis, though technical details in CVE description provide implementation roadmap.
Use-after-free in Linux kernel's xe GPU driver allows local authenticated users to execute arbitrary code with kernel privileges. The vulnerability occurs in the SR-IOV physical function migration restore path when error handling fails to nullify a freed data pointer, enabling subsequent write operations to reference deallocated memory. With CVSS 7.8 (High) and very low EPSS (0.02%), this represents typical kernel memory corruption risk requiring local access and low privileges. Vendor patches are available for affected 6.19 and 7.0-rc versions.
Use-after-free in Linux kernel meson-spicc SPI driver allows local authenticated attackers to escalate privileges or crash the system. The vulnerability stems from a double-put reference counting error during driver removal - devm_spi_register_controller() already handles cleanup automatically, but meson_spicc_remove() explicitly calls spi_controller_put() again, releasing the same memory twice. EPSS probability is low (0.02%, 5th percentile), no active exploitation confirmed, and vendor patches are available across multiple kernel versions (6.12.80, 6.18.21, 6.19.11, 7.0). This targets systems using Amlogic Meson SoC SPI controllers, requiring local authenticated access to exploit.
Use-after-free in Linux kernel AMD display driver allows local authenticated users to execute arbitrary code, corrupt memory, or cause denial of service. Affects systems with AMD graphics using Display Stream Compression (DSC) and multi-stream transport (MST), particularly laptops with integrated displays and external DP-MST monitors. The vulnerability arises when mode changes occur simultaneously with DSC reconfigurations, causing improper stream lifecycle management. Vendor patch available across multiple kernel versions (6.12.80, 6.18.21, 6.19.11, 7.0). EPSS score of 0.02% indicates low exploitation probability in the wild, with no CISA KEV listing or public exploit identified at time of analysis.
In the Linux kernel, the following vulnerability has been resolved: drm/xe: always keep track of remap prev/next During 3D workload, user is reporting hitting: [ 413.361679] WARNING: drivers/gpu/drm/xe/xe_vm.c:1217 at vm_bind_ioctl_ops_unwind+0x1e2/0x2e0 [xe], CPU#7: vkd3d_queue/9925 [ 413.361944] CPU: 7 UID: 1000 PID: 9925 Comm: vkd3d_queue Kdump: loaded Not tainted 7.0.0-070000rc3-generic #202603090038 PREEMPT(lazy) [ 413.361949] RIP: 0010:vm_bind_ioctl_ops_unwind+0x1e2/0x2e0 [xe] [ 413.362074] RSP: 0018:ffffd4c25c3df930 EFLAGS: 00010282 [ 413.362077] RAX: 0000000000000000 RBX: ffff8f3ee817ed10 RCX: 0000000000000000 [ 413.362078] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 413.362079] RBP: ffffd4c25c3df980 R08: 0000000000000000 R09: 0000000000000000 [ 413.362081] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8f41fbf99380 [ 413.362082] R13: ffff8f3ee817e968 R14: 00000000ffffffef R15: ffff8f43d00bd380 [ 413.362083] FS: 00000001040ff6c0(0000) GS:ffff8f4696d89000(0000) knlGS:00000000330b0000 [ 413.362085] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 [ 413.362086] CR2: 00007ddfc4747000 CR3: 00000002e6262005 CR4: 0000000000f72ef0 [ 413.362088] PKRU: 55555554 [ 413.362089] Call Trace: [ 413.362092] <TASK> [ 413.362096] xe_vm_bind_ioctl+0xa9a/0xc60 [xe] Which seems to hint that the vma we are re-inserting for the ops unwind is either invalid or overlapping with something already inserted in the vm. It shouldn't be invalid since this is a re-insertion, so must have worked before. Leaving the likely culprit as something already placed where we want to insert the vma. Following from that, for the case where we do something like a rebind in the middle of a vma, and one or both mapped ends are already compatible, we skip doing the rebind of those vma and set next/prev to NULL. As well as then adjust the original unmap va range, to avoid unmapping the ends. However, if we trigger the unwind path, we end up with three va, with the two ends never being removed and the original va range in the middle still being the shrunken size. If this occurs, one failure mode is when another unwind op needs to interact with that range, which can happen with a vector of binds. For example, if we need to re-insert something in place of the original va. In this case the va is still the shrunken version, so when removing it and then doing a re-insert it can overlap with the ends, which were never removed, triggering a warning like above, plus leaving the vm in a bad state. With that, we need two things here: 1) Stop nuking the prev/next tracking for the skip cases. Instead relying on checking for skip prev/next, where needed. That way on the unwind path, we now correctly remove both ends. 2) Undo the unmap va shrinkage, on the unwind path. With the two ends now removed the unmap va should expand back to the original size again, before re-insertion. v2: - Update the explanation in the commit message, based on an actual IGT of triggering this issue, rather than conjecture. - Also undo the unmap shrinkage, for the skip case. With the two ends now removed, the original unmap va range should expand back to the original range. v3: - Track the old start/range separately. vma_size/start() uses the va info directly. (cherry picked from commit aec6969f75afbf4e01fd5fb5850ed3e9c27043ac)
Use-after-free in Linux kernel ISO-TP CAN protocol driver allows local authenticated users to read freed memory, corrupt kernel state, or execute arbitrary code with kernel privileges. Affects kernels from commit 96d1c81e to 6.6.131, 6.12.80, 6.18.21, and 6.19.11. Vendor-released patches available across stable kernel branches. EPSS score 0.02% (5th percentile) indicates low probability of mass exploitation, and no public exploit identified at time of analysis, though CVSS 7.8 reflects high local privilege escalation potential if successfully exploited.
Memory corruption in the Linux kernel VFIO PCI subsystem allows local authenticated users to trigger double-free conditions and potentially execute arbitrary code with kernel privileges. The vulnerability stems from an incorrect error-handling path in the dma-buf export feature that calls dma_buf_put() before dma_buf_export() succeeds, leading to unbalanced reference counts and memory corruption during file descriptor exhaustion scenarios. Exploitation probability remains very low (EPSS 0.02%, 5th percentile) with no public exploit code or evidence of active exploitation. Patches are available in stable kernel versions 6.19.11 and 7.0.
Buffer overflow in Linux kernel ext4 filesystem allows local attackers with user interaction to achieve arbitrary code execution via crafted extent tree metadata. The ext4_ext_correct_indexes() function fails to validate index pointer bounds when walking up the extent tree, enabling slab-out-of-bounds memory reads when processing malicious filesystem images. With CVSS 7.8 (high severity) but only 0.02% EPSS (5th percentile), this represents elevated theoretical risk with minimal observed real-world exploitation. Vendor patches available across multiple stable kernel branches (6.12.80, 6.18.21, 6.19.11, 7.0), and no public exploit code or active exploitation confirmed at time of analysis.
Use-after-free in Linux kernel RDMA/EFA driver allows local authenticated users with low privileges to execute arbitrary code with high confidentiality, integrity, and availability impact. The vulnerability affects the admin queue completion handling where completion context data is accessed after being freed, creating a window for memory corruption exploitation. Affects kernel versions from 5.12 through 7.0-rc7, with vendor patches available for stable branches 6.18.21, 6.19.11, and 7.0. EPSS score of 0.02% (4th percentile) indicates low observed exploitation probability, and no public exploit code or CISA KEV listing identified at time of analysis.
Memory corruption in the Linux kernel sma1307 ASoC driver allows local authenticated users to trigger a double-free condition leading to potential privilege escalation, denial of service, or information disclosure. The vulnerability stems from improper cleanup of device-managed memory allocations in error paths within the sma1307_setting_loaded() function, where devm_kzalloc()-allocated resources are incorrectly freed with kfree(), causing devres to later release the same memory a second time. Vendor patches are available across multiple stable kernel branches (6.18.21, 6.19.11, 7.0). EPSS score of 0.02% (4th percentile) indicates low observed exploitation probability, and no active exploitation or public POC has been identified.
Use-after-free in Linux kernel XFRM IPTFS subsystem allows local authenticated attackers to trigger high-severity memory corruption through failed state cloning operations. The vulnerability stems from premature publication of mode_data pointer before allocation completion, enabling arbitrary code execution, privilege escalation, or denial of service when IPsec IP-TFS (IP Traffic Flow Security) mode cloning fails. Vendor patches available for kernel versions 6.18.21, 6.19.11, and 7.0. EPSS score of 0.02% (4th percentile) indicates very low observed exploitation probability despite CVSS 7.8 rating, likely due to the specific IPTFS configuration prerequisite and local access requirement.
Use-after-free in Linux kernel idxd DMA engine driver allows local authenticated attackers to execute arbitrary code, disclose sensitive memory, or crash the system when Function Level Reset operations fail to allocate scratch memory. The vulnerability affects Linux kernels from commit 98d187a98903 through versions 6.14, 6.18.x before 6.18.21, and 6.19.x before 6.19.11. Vendor patches are available across stable branches with EPSS indicating 0.02% exploitation probability (4th percentile), suggesting limited active targeting despite the high CVSS 7.8 score. No CISA KEV listing or public exploit code identified at time of analysis.
Privilege escalation to root in uutils coreutils chroot utility allows low-privileged local attackers with write access to the chroot target directory to execute arbitrary code via malicious NSS module injection. The vulnerability triggers when --userspec option causes getpwnam() to load attacker-controlled shared libraries from the new root before dropping privileges, enabling container escape or full system compromise on glibc-based systems. CVSS 7.8 with Scope Changed indicates host compromise from containerized environments. SSVC framework confirms POC availability and total technical impact, though exploitation requires specific configuration (writable NEWROOT) and is not automatable.
Heap buffer overflow in GNU Binutils XCOFF linker allows arbitrary code execution when a local user processes a malicious object file. Red Hat Enterprise Linux versions 6 through 10 are confirmed affected via CPE data. CVSS 7.8 reflects local attack vector requiring user interaction (opening/linking the crafted file). No active exploitation confirmed (not in CISA KEV), and no public proof-of-concept identified at time of analysis. Real-world risk depends heavily on whether development workflows involve linking untrusted XCOFF files, which is uncommon outside AIX/PowerPC cross-compilation scenarios.
Insecure direct object reference in Fullstep V5 allows authenticated users to enumerate and modify other users' supplier registration data via predictable API endpoints. Authenticated attackers with low privileges can exploit vulnerable GET and POST endpoints to list sensitive user information (/api/suppliers/v1/suppliers/) and update arbitrary user profiles including personal details and documents (/#/supplier-registration/supplier-registration/). CVSS 7.6 reflects high confidentiality and integrity impact with low attack complexity. No public exploit code identified at time of analysis, but the IDOR pattern is trivial to exploit once authenticated. INCIBE-CERT advisory confirms patch availability from vendor.
Remote code execution in Red Hat Apache Camel Infinispan component allows low-privileged attackers to execute arbitrary code via unsafe deserialization in ProtoStream remote aggregation repository. Exploiting this vulnerability requires network access and low-privilege credentials but grants full system compromise affecting confidentiality, integrity, and availability. The attack complexity is rated high (AC:H), suggesting specific configuration or timing requirements. No active exploitation confirmed at time of analysis (not in CISA KEV), and public exploit code status is unknown.
Identity spoofing in IBM WebSphere Application Server Liberty 17.0.0.3 through 26.0.0.4 allows authenticated attackers with low privileges to impersonate other users and escalate privileges when applications are deployed without proper authentication and authorization controls. The vulnerability requires high attack complexity and low-privilege credentials, but enables complete compromise of confidentiality, integrity, and availability within the application scope. CVSS 7.5 (High) reflects the significant impact once exploitation conditions are met. No public exploit identified at time of analysis, and vendor patch is available per IBM advisory.
Path matching bypass in Spring Security 7.0.0-7.0.4 allows unauthenticated remote attackers to evade authentication, authorization, and other security controls when applications use securityMatchers(String) with a PathPatternRequestMatcher.Builder bean to prepend servlet paths. Improper matcher configuration causes filter chains to silently fail, leaving protected endpoints exposed without intended security controls. No active exploitation confirmed, but CVSS 7.5 with network attack vector (AV:N/AC:L/PR:N) indicates readily exploitable if applications use the specific configuration pattern. VMware-reported vulnerability requires immediate patching for affected Spring Security 7.x deployments.
Remote unauthenticated denial of service crashes Nimiq blockchain nodes by exploiting a protocol state machine flaw. Attackers can force panic conditions in the libp2p discovery handler by opening duplicate protocol substreams, immediately taking peer-to-peer networking offline until manual restart. Vendor-released patch available in version 1.3.0 with no workarounds for unpatched systems, creating urgent upgrade requirement for blockchain node operators.
Denial of service in nimiq-primitives (Nimiq blockchain core library) allows remote unauthenticated attackers to crash nodes via malformed peer-to-peer messages. Attackers announce election macro blocks containing invalid compressed BLS voting keys, triggering an unwrap() panic during header hash validation. Affects all versions prior to 1.3.0. CVSS 7.5 (High) with network attack vector and no complexity. No public exploit identified at time of analysis, but attack is trivial to execute given the network-accessible attack surface and lack of authentication requirements.
Unauthenticated remote attackers can crash free5GC Policy Control Function (PCF) versions before 1.4.3 via repeated HTTP requests to the OAM endpoint over the Service-Based Interface. Each request leaks memory by registering duplicate CORS middleware in the Gin router handler chain, causing progressive memory exhaustion that prevents all User Equipment from establishing 5G sessions. Patched in version 1.4.3 via commit 599803b. EPSS data unavailable; not listed in CISA KEV. CVSS 7.5 High severity reflects network-accessible unauthenticated attack with high availability impact.
Uncontrolled resource consumption in Progress Telerik UI for AJAX RadAsyncUpload component allows remote unauthenticated attackers to exhaust disk space by uploading files exceeding configured size limits through chunked upload bypass. The vulnerability arises from missing cumulative size validation during chunk reassembly, enabling attackers to circumvent intended upload restrictions. No authentication required (CVSS:3.1/AV:N/AC:L/PR:N/UI:N), making this exploitable against any internet-facing application using affected versions. Patch available in version 2026.1.421. No CISA KEV listing or public exploit code identified at time of analysis, but low attack complexity and no authentication barrier indicate straightforward exploitation potential.
Authorization bypass in Spring Security 7.0.0-7.0.4 allows unauthenticated remote attackers to circumvent access controls when applications use servlet-path-based intercept-url configurations. The framework fails to include the servlet path when computing pattern matches for authorization rules, causing protected endpoints to become accessible without proper authorization checks. No public exploit code identified at time of analysis, but the straightforward bypass condition (misconfigured servlet-path directives) and network attack vector (CVSS AV:N/AC:L/PR:N) make this readily exploitable in affected deployments.
Memory exhaustion and kernel crash in Linux kernel's ksmbd SMB server allows remote unauthenticated denial of service via crafted lock requests. The smb2_lock() function contains three critical error-handling defects: memory leaks when vfs_lock_file() returns unexpected errors, stale error propagation in UNLOCK operations, and NULL pointer dereference during rollback when smb_flock_init() allocation fails. CVSS vector indicates network-accessible, low-complexity exploitation requiring no authentication. EPSS score of 0.02% (7th percentile) suggests minimal observed scanning activity, and no KEV listing confirms no widespread exploitation detected. However, the network attack vector (AV:N) and high availability impact (A:H) make this a realistic DoS risk for systems running ksmbd. Vendor patches available across stable kernel series 5.15-6.19.
Deadlock in Linux kernel EROFS filesystem bio completion path enables remote denial of service. When EROFS decompress operations occur in process context (e.g., dm-verity scenarios), vm_map_ram() called with GFP_KERNEL can trigger memory swapping I/O under low memory conditions, causing submit_bio_wait() to deadlock when bio_list is already initialized. CVSS rates this 7.5 High with network attack vector requiring no authentication, yet EPSS scores only 0.02% (7th percentile), suggesting theoretical rather than observed exploitation. Patches available across multiple stable kernel branches (5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, 7.0). Not listed in CISA KEV and no public exploit identified at time of analysis.
Remote denial of service in dnsdist allows unauthenticated attackers to crash the DNS load balancer by sending specially crafted DNSCrypt queries that trigger a divide-by-zero error. The vulnerability requires no authentication, low attack complexity, and directly impacts service availability for all DNS traffic routed through affected dnsdist instances. Organizations using DNSCrypt protocol support in dnsdist face immediate risk of service disruption from remote attackers.
Remote attackers can corrupt PowerDNS Authoritative Server configuration via specially crafted DNS NOTIFY requests, causing persistent denial of service requiring manual administrator intervention. The attack adds malformed secondary domains to the bind backend, rendering the configuration invalid and preventing the server from restarting. No active exploitation confirmed at time of analysis, but the network-accessible attack vector and lack of authentication requirements elevate risk for internet-facing authoritative DNS servers.
Code injection in Microsoft Kiota versions prior to 1.31.1 allows attackers who control or tamper with OpenAPI descriptions to inject malicious code into generated HTTP client libraries. Exploitation requires developers to generate clients from untrusted or compromised OpenAPI specifications, then compile and execute the poisoned code. The attack chain culminates in arbitrary code execution within the context of applications using the tainted generated clients. CVSS 7.3 with local attack vector and user interaction required suggests lower immediate urgency, though EPSS data is unavailable. No public exploit code or active exploitation confirmed at time of analysis.
Server-Side Request Forgery in Squidex versions prior to 7.23.0 allows authenticated users with asset upload permissions to force the CMS server to fetch arbitrary URLs, including internal network resources and localhost endpoints, storing the retrieved content as platform assets. This enables reconnaissance of internal infrastructure, exfiltration of cloud metadata endpoints (AWS/Azure credentials), and access to services not exposed to the internet. CVSS 7.3 (High) with CVSS 4.0 E:P (Proof-of-concept exists). Vendor patch available in version 7.23.0 per GitHub security advisory GHSA-x7cq-4f4c-8qcv.
Server-Side Request Forgery (SSRF) in Squidex versions before 7.23.0 allows authenticated users with schema editing permissions to force the server to make arbitrary HTTP requests to internal services and cloud metadata endpoints through the Jint scripting engine. The vulnerability can expose cloud provider credentials (e.g., AWS IMDS) and enable lateral movement within internal networks. Exploitation requires only low-privilege authentication (PR:L) and has publicly available exploit code (E:P in CVSS 4.0 vector). Vendor-confirmed patch available in version 7.23.0.
Apache HttpClient 5.6 skips mutual authentication verification in SCRAM-SHA-256 handshakes, allowing network attackers to impersonate legitimate servers without credentials. Affected clients accept unauthenticated server responses, enabling man-in-the-middle attacks that compromise confidentiality and integrity of authenticated sessions. Apache released patched version 5.6.1 addressing the missing authentication check. EPSS score of 0.03% suggests low current exploitation activity, though the network-accessible attack surface (AV:N/AC:L/PR:N) and availability of detailed vendor advisory increase exploitation risk once attackers adapt tooling for SCRAM protocol manipulation.