Skip to main content
CVE-2026-5767 MEDIUM This Month

Stored cross-site scripting (XSS) in SlideShowPro SC plugin for WordPress versions up to 1.0.2 allows authenticated attackers with contributor-level access to inject arbitrary JavaScript through the `slideShowProSC` shortcode attributes due to insufficient input sanitization and output escaping. The injected scripts execute in the context of any user viewing the affected page, potentially compromising session tokens, stealing credentials, or performing unauthorized actions on behalf of site visitors. No public exploit code or active exploitation has been confirmed at the time of analysis.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-5820 MEDIUM This Month

Stored cross-site scripting in Zypento Blocks plugin for WordPress up to version 1.0.6 allows authenticated attackers with Author-level privileges to inject arbitrary JavaScript into page content via the Table of Contents block. The vulnerability exists because the front-end rendering script reads heading text using innerText and renders it via innerHTML without sanitization, causing injected scripts to execute whenever users access the compromised page. No public exploit code or active exploitation has been reported at time of analysis.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-41455 MEDIUM PATCH This Month

Server-side request forgery in WeKan before 8.35 allows authenticated users to create or modify webhook integrations with arbitrary URLs, enabling the server to issue HTTP POST requests to internal network addresses and attacker-controlled targets. The vulnerability additionally permits unauthorized modification of comment text through response handling, affecting systems where users have integration management privileges. No active exploitation has been confirmed at time of analysis.

SSRF Wekan
NVD GitHub
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-35374 MEDIUM PATCH This Month

The split utility in uutils coreutils contains a time-of-check to time-of-use (TOCTOU) race condition that allows local attackers with directory write access to manipulate symbolic links between the initial path validation and file truncation, causing data loss to unintended target files including the input file or other sensitive files. CVSS 6.3 (local, high complexity, low privilege required); SSVC assesses as non-exploitable in automated attacks but partial technical impact due to manual race window exploitation requirements.

Information Disclosure Coreutils
NVD GitHub
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-35364 MEDIUM This Month

A time-of-check to time-of-use (TOCTOU) race condition in the mv utility of uutils coreutils during cross-device move operations allows local attackers with write access to the destination directory to exploit a window between file deletion and recreation, injecting a symbolic link to redirect privileged write operations and overwrite arbitrary files. Exploitation requires moderate attack complexity and local access with limited privileges, but grants the ability to corrupt or modify files beyond the attacker's normal permissions. Publicly available exploit code exists but the vulnerability has not been confirmed in active exploitation.

Information Disclosure Coreutils
NVD GitHub
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-35360 MEDIUM This Month

The touch utility in uutils coreutils suffers from a Time-of-Check to Time-of-Use (TOCTOU) race condition that allows local attackers with user-level privileges to truncate arbitrary files and cause permanent data loss. The vulnerability exists in the window between when touch checks for a missing file and when it attempts file creation with O_TRUNC flag; an attacker can inject a symlink or create a file at the target path during this interval, causing touch to truncate an existing file that the attacker controls. SSVC framework indicates exploitation is possible via proof-of-concept code, though automation is not feasible due to race condition complexity.

Information Disclosure Coreutils
NVD GitHub
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-35356 MEDIUM PATCH GHSA This Month

Privilege escalation via symlink attack in uutils coreutils install utility when using the -D flag allows local attackers with write access to redirect privileged file writes to arbitrary locations. The vulnerability exploits a Time-of-Check to Time-of-Use (TOCTOU) race condition between parent directory creation and target file creation, neither anchored to a directory file descriptor. CISA reports no active exploitation (SSVC: none), but the attack is non-automatable and requires specific concurrent write access conditions.

Information Disclosure Coreutils
NVD GitHub
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-35355 MEDIUM PATCH GHSA This Month

Time-of-Check to Time-of-Use (TOCTOU) race condition in uutils coreutils install utility allows local authenticated attackers to redirect privileged file writes to arbitrary system locations via symbolic link swapping. By exploiting the window between file unlinking and recreation, an attacker with local access and low privileges can overwrite critical system files when the install command runs with elevated privileges, achieving both integrity compromise and denial of service.

Information Disclosure Coreutils
NVD GitHub
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-28950 MEDIUM PATCH This Month

A logging issue was addressed with improved data redaction. This issue is fixed in iOS 18.7.8 and iPadOS 18.7.8, iOS 26.4.2 and iPadOS 26.4.2. Notifications marked for deletion could be unexpectedly retained on the device.

Apple Information Disclosure
NVD VulDB
CVSS 3.1
6.2
EPSS
0.0%
CVE-2026-6386 MEDIUM This Month

Unprivileged local users on FreeBSD can read sensitive kernel memory via a page table manipulation bug in pmap_pkru_update_range(). When applying protection keys to 1GB largepage mappings created through shm_create_largepage(3), the kernel incorrectly treats userspace memory as page table entries, enabling unauthorized information disclosure. This affects FreeBSD 13.5, 14.3, 14.4, and 15.0 releases and has been confirmed fixed by vendor patches.

Privilege Escalation Freebsd
NVD VulDB
CVSS 3.1
6.2
EPSS
0.0%
CVE-2026-41511 MEDIUM PATCH GHSA This Month

OpenMcdf fails to detect cycles in Compound File Binary (CFB) directory entry red-black trees, causing indefinite loops in Storage.EnumerateEntries() and Storage.OpenStream() when processing crafted CFB files with sibling ID cycles. This denial-of-service vulnerability consumes the calling thread permanently with no recovery path via exception handling, affecting any application opening untrusted CFB documents. Patch available in version 3.1.3.

Denial Of Service
NVD GitHub VulDB
CVSS 3.1
6.2
EPSS
0.0%
CVE-2026-41650 MEDIUM PATCH GHSA This Month

fast-xml-parser XMLBuilder fails to escape comment and CDATA delimiters when building XML from JavaScript objects, allowing XML injection via unescaped `-->` and `]]>` sequences in user-controlled content. Attackers can inject malicious XML elements into comments or CDATA sections, enabling XSS attacks in browser contexts, SOAP message manipulation, RSS feed poisoning, or XML structure breakage. The vulnerability requires user interaction (UI:R) and affects only XMLBuilder output that includes user-controlled comments or CDATA; no public exploit code identified at time of analysis.

Node.js XSS Suse Red Hat
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-6861 MEDIUM PATCH This Month

Memory corruption in GNU Emacs SVG/CSS processing allows local attackers to trigger denial of service or information disclosure by convincing users to open specially crafted SVG files. The vulnerability requires user interaction (file opening) and local access, but results in significant impact including service disruption and potential data leakage through memory corruption exploitation.

Information Disclosure Denial Of Service Buffer Overflow Emacs
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-41665 MEDIUM This Month

Integer overflow in scratch buffer initialization within Samsung Open Source ONE allows local attackers with user interaction to cause denial of service and memory corruption affecting large intermediate tensor processing. Versions prior to 1.30.0 are vulnerable. The vulnerability stems from incorrect size calculation during memory allocation for scratch buffers, resulting in undersized allocations that corrupt adjacent memory regions when large tensors are processed.

Samsung Integer Overflow Buffer Overflow
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-4090 MEDIUM This Month

Inquiry Cart plugin for WordPress versions up to 3.4.2 allows unauthenticated attackers to modify plugin settings and inject malicious scripts into the admin area via Cross-Site Request Forgery (CSRF) attacks. The vulnerability exploits missing nonce verification in the settings form handler, requiring an administrator to be socially engineered into clicking a malicious link. Stored scripts execute with admin privileges, enabling account hijacking and complete site compromise.

CSRF WordPress
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-4131 MEDIUM This Month

WP Responsive Popup + Optin plugin for WordPress versions up to 1.4 is vulnerable to Cross-Site Request Forgery (CSRF) allowing unauthenticated attackers to modify all plugin settings, including the 'wpo_image_url' parameter, by tricking site administrators into clicking a malicious link. The vulnerability exists because the settings form in wpo_admin_page.php lacks WordPress nonce generation and verification functions. Exploitation requires administrator interaction but can alter critical plugin configuration with broader impact across the site.

PHP CSRF WordPress
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-40215 MEDIUM PATCH This Month

OpenVPN's TLS handshake race condition exposes confidential packet data from prior handshake sessions to authenticated remote attackers, affecting versions before 2.6.20 in the 2.6.x branch and before 2.7.2 in the 2.7.x branch. The CWE-125 out-of-bounds read flaw scores 6.1 under CVSS 4.0 with High confidentiality and availability impacts, though the AC:H (High Complexity) rating reflects that successful exploitation requires winning a narrow timing window, limiting opportunistic mass exploitation. No public exploit code has been identified at time of analysis and this CVE is not listed in CISA KEV; vendor-released patches for both stable branches were published April 22, 2026.

Information Disclosure Buffer Overflow Suse
NVD GitHub VulDB
CVSS 4.0
6.1
EPSS
0.1%
CVE-2026-30139 MEDIUM This Month

Reflected cross-site scripting (XSS) in Silverpeas Core before version 6.4.6 allows unauthenticated remote attackers to execute arbitrary JavaScript in users' browsers via malicious input to the AdvancedSearch functionality. The vulnerability requires user interaction (clicking a crafted link) and affects confidentiality and integrity with partial technical impact. Publicly available exploit code exists, and CISA SSVC assessment confirms proof-of-concept availability, though this vulnerability is not yet confirmed in active widespread exploitation.

XSS N A
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-41240 MEDIUM PATCH GHSA This Month

Cross-site scripting (XSS) in DOMPurify occurs when function-based ADD_TAGS configuration is used with FORBID_TAGS, allowing attackers to bypass tag filtering and inject dangerous elements such as iframe, form, object, and embed with their attributes intact. The vulnerability stems from inconsistent handling of FORBID_TAGS compared to the separately-fixed FORBID_ATTR logic, where the forbidden tag check is short-circuited by a function-based ADD_TAGS predicate. Publicly available proof-of-concept demonstrates iframe and form injection with external URLs surviving sanitization; patch is available in version 3.4.0.

Node.js XSS Red Hat Suse
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.0%
CVE-2026-33262 MEDIUM PATCH This Month

Null pointer dereference in PowerDNS Recursor allows remote attackers to trigger a denial of service by sending crafted DNS replies that bypass a missing consistency check. The vulnerability affects Recursor versions 5.2.0 through 5.2.8, 5.3.0 through 5.3.5, and 5.4.0, with CVSS 5.9 reflecting high availability impact but requiring special network conditions (AC:H). No public exploit code identified at time of analysis.

Denial Of Service Null Pointer Dereference Suse
NVD VulDB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-33261 MEDIUM PATCH This Month

PowerDNS Recursor versions 5.2.x, 5.3.x, and 5.4.0 are vulnerable to denial of service when processing a zone transition from NSEC to NSEC3 DNSSEC record types, causing internal inconsistency and resolver unavailability. The vulnerability requires network access but elevated attack complexity, affecting recursive DNS resolvers in production environments. Vendor patches are available for all affected branches.

Denial Of Service Suse
NVD VulDB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-33610 MEDIUM PATCH This Month

Denial of service in PowerDNS secondary servers occurs when a rogue primary server sends crafted DNS update requests that cause file descriptor exhaustion on the secondary, eventually rendering the secondary unable to process legitimate DNS queries. The attack requires network-level coordination between a compromised or attacker-controlled primary server and a target secondary server, with moderate attack complexity due to the need to establish a primary-secondary relationship. No active exploitation has been confirmed in CISA KEV at time of analysis.

Denial Of Service Suse
NVD VulDB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-35363 MEDIUM PATCH GHSA This Month

The rm utility in uutils coreutils fails to properly validate current directory paths with trailing slashes (./ or .///), allowing local users with write access to silently delete all contents of the current directory via rm -rf ./ while the utility reports a misleading 'Invalid input' error. CVSS score 5.6 reflects local attack vector and required user interaction, though the impact is severe data loss with potential recovery complications.

Path Traversal Coreutils
NVD GitHub
CVSS 3.1
5.6
EPSS
0.0%
CVE-2026-41136 MEDIUM PATCH GHSA This Month

Improper error handling in free5GC AMF prior to version 1.4.3 allows remote attackers to invoke the HTTPUEContextTransfer handler with uninitialized request objects by sending requests with unsupported Content-Type headers. The missing default case in the Content-Type switch statement silently skips deserialization without raising an error, resulting in integrity loss when malformed or crafted payloads reach the processor with null/uninitialized state. CVSS score of 5.5 reflects low integrity impact; publicly available exploit code exists (E:P).

Deserialization Amf Free5gc
NVD GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-41130 MEDIUM PATCH This Month

Server-Side Request Forgery (SSRF) in Craft CMS 4.x through 4.17.8 and 5.x through 5.9.14 allows unauthenticated attackers to proxy arbitrary remote HTTP requests via the `resource-js` endpoint when `trustedHosts` is not explicitly configured. By manipulating the Host header, attackers can control the derived `baseUrl` used in validation, bypassing prefix checks and forcing the server to issue requests to arbitrary destinations. Patch versions 4.17.9 and 5.9.15 address the vulnerability.

SSRF
NVD GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-41177 MEDIUM PATCH This Month

Blind Server-Side Request Forgery (SSRF) in Squidex prior to version 7.23.0 allows authenticated administrators to force the backend server to interact with the local filesystem via the `file://` protocol in the Restore API's `Url` parameter, potentially disclosing sensitive system information through side-channel analysis of internal logs. No public exploit code or active exploitation has been identified at time of analysis.

SSRF Squidex
NVD GitHub
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-31483 MEDIUM PATCH This Month

Denial of service in Linux kernel on s390 architecture allows local authenticated attackers to crash the system by triggering an out-of-bounds access in the syscall dispatch table. The s390 syscall number is directly controlled by userspace without spectre boundary protection (array_index_nospec), enabling an attacker with local user privileges to supply an invalid syscall number that bypasses array bounds checking and causes a memory access violation. EPSS score is extremely low (0.03%), consistent with limited attack surface on s390-specific systems and requirement for local authentication.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-41129 MEDIUM PATCH This Month

Server-Side Request Forgery in Craft CMS 4.x through 4.17.8 and 5.x through 5.9.14 allows authenticated users with asset management permissions to request arbitrary URLs via the GraphQL API, potentially exposing internal services or performing actions on behalf of the CMS server. Exploitation requires high-privilege role assignments ('Edit assets' and 'Create assets' in a volume) and is patched in versions 4.17.9 and 5.9.15. EPSS score indicates moderate exploitation probability despite high CVSS, suggesting this is primarily a risk in multi-user CMS deployments where privilege separation is weak.

SSRF
NVD GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-31495 MEDIUM PATCH This Month

Denial of service in Linux kernel netfilter ctnetlink subsystem allows local authenticated attackers to trigger undefined behavior via improper validation of TCP window scale and connection tracking state parameters. The vulnerability stems from missing netlink policy range checks that permit out-of-bounds values (TCP window scale 0-255 instead of clamped 0-14, TCP state values exceeding TCP_CONNTRACK_MAX) to be passed to kernel code expecting constrained ranges, leading to undefined behavior in shift operations and state machine logic. CVSS 5.5 (local, low complexity, requires low privileges) with EPSS 0.03% indicates low real-world exploitation likelihood despite availability of vendor patches.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-4918 MEDIUM PATCH This Month

Stored cross-site scripting in IBM Guardium Data Protection 12.1 allows high-privileged administrative users to inject malicious JavaScript into the Web UI, enabling credential theft and session hijacking within trusted administrative sessions. The vulnerability requires administrative privileges and does not trigger user interaction, allowing attackers with admin access to persistently compromise the confidentiality and integrity of the system. A patch is available from IBM.

IBM XSS
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-31524 MEDIUM PATCH This Month

Memory leak and out-of-bounds read in the asus_report_fixup() HID driver function allows local authenticated attackers with limited privileges to cause denial of service through memory exhaustion. The vulnerability affects the ASUS HID device driver across multiple Linux kernel versions, where kmemdup()-allocated buffers were not freed properly and an out-of-bounds read could access memory beyond the original descriptor size. A patch is available from Linux kernel maintainers switching to devm_kzalloc() for proper memory lifecycle management.

Buffer Overflow Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-31522 MEDIUM PATCH This Month

Memory leak in the HID magicmouse driver's report_fixup() function allows local authenticated attackers to cause a denial of service through repeated device interactions. The magicmouse_report_fixup() function allocates memory via kmemdup() but fails to free the allocated buffer before returning, leading to exhaustion of kernel memory on systems with a Magic Mouse connected. Vendor patches are available across multiple stable branches.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-31521 MEDIUM PATCH This Month

Linux kernel module loader fails to validate ELF section index bounds in simplify_symbols(), causing kernel panic when processing modules with out-of-bounds st_shndx values such as SHN_XINDEX (0xffff). Local privileged attackers can crash the system by loading malformed or legitimately-crafted modules that exploit this missing bounds check, resulting in denial of service. The vulnerability affects all stable kernel versions from 2.6.12 through current releases; patches are available across multiple stable branches (5.15.203+, 6.1.168+, 6.6.131+, 6.12.80+, 6.18.21+, 6.19.11+, 7.0+).

Buffer Overflow Memory Corruption Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-31520 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: HID: apple: avoid memory leak in apple_report_fixup() The apple_report_fixup() function was returning a newly kmemdup()-allocated buffer, but never freeing it. The caller of report_fixup() does not take ownership of the returned pointer, but it *is* permitted to return a sub-portion of the input rdesc, whose lifetime is managed by the caller.

Apple Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-31519 MEDIUM PATCH This Month

A denial-of-service vulnerability in the Linux kernel's Btrfs filesystem implementation allows local authenticated attackers to cause filesystem corruption and crashes through a race condition during subvolume creation and lookup. When a newly created Btrfs subvolume's dentry cache is dropped before the BTRFS_ROOT_ORPHAN_CLEANUP flag is set, concurrent orphan cleanup operations can fail with ENOENT, creating negative dentries that prevent subvolume deletion and cause filesystem aborts. EPSS score of 0.02% indicates this is a low-probability exploitation scenario requiring specific timing and configuration conditions, though the impact is severe for affected systems. No public exploit code is identified at time of analysis.

Null Pointer Dereference Linux Denial Of Service Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-31518 MEDIUM PATCH This Month

Memory leak in Linux kernel ESP-over-TCP implementation with asynchronous cryptography causes denial of service via socket queue exhaustion when crypto operations complete asynchronously. Authenticated local attackers can trigger the vulnerability by filling the TX queue for espintcp connections while using async crypto algorithms, preventing proper cleanup of socket buffers and gradually consuming system memory until services become unavailable. EPSS score of 0.02% indicates low real-world exploitation probability despite moderate CVSS severity.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-31515 MEDIUM PATCH This Month

Denial of service in Linux kernel af_key module allows local authenticated attackers to crash the system via buffer overflow in pfkey_send_migrate() function. The vulnerability occurs because pfkey_send_migrate() fails to validate address family parameters before passing them to set_ipsecrequest(), causing truncation that overfills the socket buffer and triggers kernel panic in skb_put(). EPSS score of 0.02% indicates minimal real-world exploitation risk despite moderate CVSS severity.

Null Pointer Dereference Linux Denial Of Service
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-31512 MEDIUM PATCH This Month

Denial of service via buffer over-read in Linux kernel Bluetooth L2CAP Enhanced Credit Based Flow Control data path allows local authenticated attackers to crash the system by sending malformed L2CAP packets with insufficient payload length. The vulnerability exists in l2cap_ecred_data_rcv() which reads the SDU length field without validating that the socket buffer contains the required 2 bytes, causing an out-of-bounds read that triggers a kernel panic when the buffer is too small. EPSS exploitation probability is 0.02% (percentile 7%), and a vendor patch is available.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-31510 MEDIUM PATCH This Month

Null pointer dereference in the Linux kernel Bluetooth L2CAP implementation allows local authenticated attackers to cause a kernel panic and denial of service via the l2cap_sock_ready_cb function during L2CAP connection initialization. The vulnerability occurs when a socket pointer is dereferenced without null validation, triggering a KASAN null-ptr-deref exception that crashes the kernel. EPSS score of 0.02% indicates low real-world exploitation probability despite the moderate CVSS score; no public exploit code or active KEV listing has been identified at time of analysis.

Null Pointer Dereference Linux Denial Of Service Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-31509 MEDIUM PATCH This Month

Denial of service via deadlock in NFC NCI subsystem when nci_close_device() flushes work queues while holding req_lock, triggering a circular lock dependency with nci_rx_work(). The vulnerability affects Linux kernels across multiple stable branches (5.10, 5.15, 6.1, 6.6, 6.12, 6.18, 6.19, 7.0) and was reproduced in roughly 4% of nci selftest runs on debug kernels, though EPSS scoring (0.02% percentile 7%) indicates low baseline exploitation probability. Local privilege requirement and high attack complexity in practice mean real-world impact is limited to NFC-capable systems with specific workload timing.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-31503 MEDIUM PATCH This Month

Linux kernel UDP socket binding fails to properly detect wildcard address conflicts when hash table collision count exceeds 10, allowing a socket to bind to a wildcard address (such as [::]:8888 or 0.0.0.0:8888) even when specific addresses on that port are already in use. This denial-of-service vulnerability affects local authenticated users who can create UDP sockets, bypassing port conflict checks that should prevent duplicate bindings. The issue stems from improper hash table selection logic in UDP's bind path, which switches from a port-only hash to an address-port hash at a threshold, creating a window where wildcard bindings are incorrectly permitted.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-31498 MEDIUM PATCH This Month

Denial of service via infinite loop in Bluetooth L2CAP ERTM reconfiguration allows local authenticated attackers to exhaust system memory. The vulnerability arises from two distinct flaws: improper handling of L2CAP channel reconfiguration that leaks ERTM resources and fails to validate minimum PDU size, causing an infinite loop in l2cap_segment_sdu() when remote_mps is set to zero. EPSS score of 0.02% indicates limited exploitation likelihood despite the high CVSS score, reflecting the requirement for local access and authenticated Bluetooth channel state.

Linux Denial Of Service Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-31497 MEDIUM PATCH This Month

Out-of-bounds array access in the btusb driver's Bluetooth SCO link handling allows local authenticated attackers to cause denial of service by exhausting kernel memory or crashing the Bluetooth subsystem. The btusb_work() function fails to constrain the sco_num variable before indexing a three-entry lookup table, permitting reads and potential writes past allocated buffer boundaries when four or more SCO links are active. This affects Linux kernel versions 5.8 through 7.0-rc2 and requires local access with unprivileged user privileges to trigger.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-31496 MEDIUM PATCH This Month

Information disclosure in Linux kernel netfilter nf_conntrack_expect proc interface allows local authenticated users to read connection tracking expectations from other network namespaces, bypassing namespace isolation. The vulnerability affects kernel versions through 6.x and 7.0-rc releases with CVSS 5.5 (local, low complexity, high availability impact) and EPSS 0.02% exploitation probability; vendor-released patches are available for multiple stable branches (6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, 7.0).

Information Disclosure Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-31492 MEDIUM PATCH This Month

Use-after-free in Linux kernel RDMA/irdma driver allows local authenticated users to cause denial of service by triggering uninitialized completion handling during queue pair creation failure. When ib_copy_to_udata fails in irdma_create_qp, the cleanup path attempts to wait on an uninitialized free_qp completion structure, resulting in a kernel panic or system hang. EPSS score of 0.02% indicates low exploitation probability despite moderate CVSS score; patch is available from vendor.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-31480 MEDIUM PATCH This Month

Denial of service via deadlock in the Linux kernel tracing subsystem occurs when CPU hotplug operations interact with osnoise tracing thread lifecycle management. A local privileged user can trigger a deadlock by inducing CPU offline events while osnoise threads hold conflicting locks (interface_lock and cpus_read_lock), causing system hang. CVSS 5.5 reflects local attack vector and privilege requirement; EPSS 0.02% indicates low real-world exploitation likelihood despite deadlock severity.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-31441 MEDIUM PATCH This Month

Memory leak in the Linux kernel dmaengine idxd driver occurs when a workqueue is reset, causing resources to be improperly released due to premature setting of the workqueue type to NONE. A local attacker with low privileges can trigger this condition to exhaust kernel memory and cause a denial of service. The vulnerability affects kernel versions 5.8 through 7.0 and has an available vendor patch with low exploitation probability (EPSS 0.02%).

Information Disclosure Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-31434 MEDIUM PATCH This Month

Memory leak in the Linux kernel btrfs filesystem driver allows a local authenticated attacker to gradually exhaust kernel memory through repeated mount and unmount operations on affected configurations. The flaw exists in check_removing_space_info(), which incorrectly uses kfree() on kobject-initialized sub-group space_info elements instead of the proper kobject_put() teardown path, leaving kobj->name string allocations unreferenced and unfreed. No public exploit exists (EPSS 0.02%, 7th percentile) and the vulnerability is not listed in CISA KEV, placing real-world risk well below the CVSS 5.5 Medium score might suggest.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-35369 MEDIUM PATCH GHSA This Month

Local denial of service in uutils coreutils kill utility before version 0.6.0 allows unprivileged users to crash the system or terminate all visible processes by exploiting incorrect argument parsing that sends SIGTERM to PID -1 instead of reporting a missing PID argument. The vulnerability requires local access and can be triggered without user interaction, distinguishing it from the correct behavior in GNU coreutils where -1 is interpreted as a signal number rather than a process identifier.

Denial Of Service Coreutils
NVD GitHub
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-35380 MEDIUM PATCH This Month

Logic error in uutils coreutils cut utility causes incorrect interpretation of the literal two-byte string '' (two single quotes) as an empty delimiter, leading to silent data corruption when processing strings with these characters. The vulnerability affects uutils coreutils versions prior to 0.8.0 and impacts automated scripts and data pipelines that rely on precise delimiter handling, as the utility may unintentionally split or join data on NUL bytes rather than intended literal characters.

Information Disclosure Coreutils
NVD GitHub VulDB
CVSS 3.1
5.5
EPSS
0.0%
Prev Page 2 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy